Microsoft Identity is not blocking users not yet confirmed

[adrielairaldo]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

I am using RequireConfirmedAccount and RequireConfirmedEmail for my IdentityUser and I am also using Lockout.AllowedForNewUsers in my IdentityOptions.

In my Login.cshtml.cs I have enabled lockoutOnFailure: true, and everything works fine for confirmed users (those who have received the confirmation email and finished the process).

I discovered that an unconfirmed user is not affected by the lockout, that is, he can make infinite attempts without consequences.

In the default workflow you will always receive an "Invalid login attempt".

My concern is what happens when we consider the particular case of the user who wants to login but has not yet confirmed his email. Generally we show the user relevant information such as “Account not yet confirmed, do you want to send the confirmation email again?”. In this case using brute force we could try to find a user's password. For example, I am introducing an enhancement to the use case as follows:

                var user = await userManager.FindByEmailAsync(Input.Email);
                bool validPassword = (user != null) ? await userManager.CheckPasswordAsync(user, Input.Password) : false;
                bool isEmailConfirmed = await userManager.IsEmailConfirmedAsync(user);

                if (user != null && validPassword && !isEmailConfirmed)
                {
                    ModelState.AddModelError("EmailNotConfirmed", "You must confirm your email before logging in. Please check your inbox for the confirmation link.");
                    return Page();
                }

I have even tried to detect an incorrect login for a user not yet confirmed and increase the failed count with userManager.AccessFailedAsync(user), but still the user is not locked.

Expected Behavior

When options.SignIn.RequireConfirmedAccount = true; options.SignIn.RequireConfirmedEmail = true; in IdentityUser and options.Lockout.AllowedForNewUsers = true; in IdentityOptions, lock out the user even if it is not yet confirmed.

Steps To Reproduce

No response

Exceptions (if any)

No response

.NET Version

8

Anything else?

No response

[JJong-nl]

First: Your thought about a not confirmed account you can brute force the password is false.
Yes you can infinite check an unconfirmed account without locking it out. But with a wrong or correct password the password is never checked because the PreSignInCheck is returning a SignInResult.NotAllowed.
https://github.com/dotnet/aspnetcore/blob/main/src/Identity/Core/src/SignInManager.cs#L917

Here a solution when you want to use the lockout with a not yet confirmed account.
The signinmanager has a PreSignInCheck.
https://github.com/dotnet/aspnetcore/blob/main/src/Identity/Core/src/SignInManager.cs#L378

In this method the CanSignInAsync is checking for a confirmed account.
When this is not the case singing in is not allowed, so the lockout failed count is not increased.

All the methods in the SignInManager are virtual.
So you can create your own SignInManager and overriding these methods.

for example

    public class MySignInManager<TUser> : SignInManager<TUser>
        where TUser : class
    {
        public MySignInManager(UserManager<TUser> userManager,
            IHttpContextAccessor contextAccessor,
            IUserClaimsPrincipalFactory<TUser> claimsFactory,
            IOptions<IdentityOptions> optionsAccessor,
            ILogger<SignInManager<TUser>> logger,
            IAuthenticationSchemeProvider schemes,
            IUserConfirmation<TUser> confirmation)
            : base(userManager, contextAccessor, claimsFactory, optionsAccessor, logger, schemes, confirmation)
        {
        }

        protected override async Task<SignInResult?> PreSignInCheck(TUser user)
        {
            // we do not want to block a signin attempt when email/phone/account is not yet confirmed.
            // so we dont want to check the CanSignInAsync. Now a not yet confirmed account 'can' locked out with a wrong password.
            if (await IsLockedOut(user))
            {
                return await LockedOut(user);
            }
            return null;
        }

        public override async Task<SignInResult> CheckPasswordSignInAsync(TUser user, string password, bool lockoutOnFailure)
        {
            // The PreSignInCheck is overwritten so after a success login we still need to check is the email/phone/account is confirmed
            var result = await base.CheckPasswordSignInAsync(user, password, lockoutOnFailure);
            if (result.Succeeded)
            {
                var error = await PostSignInCheck(user);
                if (error != null)
                {
                    return error;
                }
            }
            return result;
        }

        protected virtual async Task<SignInResult?> PostSignInCheck(TUser user)
        {
            if (!await CanSignInAsync(user))
            {
                return SignInResult.NotAllowed;
            }
            return null;
        }
    }

dont forget to register your signinmanager to the service collection.

builder.Services.AddScoped<SignInManager<MyApplicationUser>, MySignInManager<MyApplicationUser>>();

please be aware when using TwoFactor or ExternalLogin you should rewrite these implementation as well because the change we made in PreSignInCheck.