ASP.NET Core Identity User Locked out

The user lockout feature is the way to improve application security by locking out a user that enters a password incorrectly several times. This technique can help us in protecting against brute force attacks, where an attacker repeatedly tries to gues…


This content originally appeared on DEV Community and was authored by Nirmal Krishna

The user lockout feature is the way to improve application security by locking out a user that enters a password incorrectly several times. This technique can help us in protecting against brute force attacks, where an attacker repeatedly tries to guess a password. ⛳

Quite a basic feature for an authentication service, but adding it in my Web API app was quite a head scratcher.

1. Adding to configuration service

In your startup.cs or container configuration file, the config for locking out can be set.

services.AddIdentity<User, IdentityRole>(opt =>
{
    // previous code removed for clarity reasons
    opt.Lockout.AllowedForNewUsers = true;
    opt.Lockout.DefaultLockoutTimeSpan = TimeSpan.FromMinutes(2);
    opt.Lockout.MaxFailedAccessAttempts = 3;
})

The property names are self explanatory here.

The above code will by default setup locking out feature and if a person is trying to login with wrong password for a given username the user account will be locked out for 5 minutes updated accordingly in LockoutEnd column

2. How to check if this user is Locked Out?

//  AuthService.cs
..
    var result = await signInManager.CheckPasswordSignInAsync(user, model.Password, lockoutOnFailure: true);
..

The properties of result : SignInResult we are concerned here are Succeeded, IsLockedOut.

Succeeded == true if the username and password match

Succeeded == false if the username and password do not match

IsLockedOut == true if this user has been locked out after x number of trials

3. ? What is here to scratch your hear for

I was expecting LockOutEnabled will become true (1) in the identity user table. It took me few hours to get to the documentation but it was stated clearly in the Library class.

// Microsoft.AspNetCore.Identity.IdentityUser

// Gets or sets a flag indicating if the user could be locked out.

public virtual bool LockoutEnabled { get; set; }

I missed the could be and it costed me some hours.?

Updating this column to true for necessary users then locks out the user for particular a time limit set in the config

The proper logging and an error can be thrown with
result.IsLockedOut flag from the service layer ?

? References

  1. Using UserManager.CheckPasswordAsync versus SignInManager.PasswordSignInAsync

  2. User Lockout with ASP.NET Core Identity


This content originally appeared on DEV Community and was authored by Nirmal Krishna


Print Share Comment Cite Upload Translate Updates
APA

Nirmal Krishna | Sciencx (2021-06-24T15:20:39+00:00) ASP.NET Core Identity User Locked out. Retrieved from https://www.scien.cx/2021/06/24/asp-net-core-identity-user-locked-out/

MLA
" » ASP.NET Core Identity User Locked out." Nirmal Krishna | Sciencx - Thursday June 24, 2021, https://www.scien.cx/2021/06/24/asp-net-core-identity-user-locked-out/
HARVARD
Nirmal Krishna | Sciencx Thursday June 24, 2021 » ASP.NET Core Identity User Locked out., viewed ,<https://www.scien.cx/2021/06/24/asp-net-core-identity-user-locked-out/>
VANCOUVER
Nirmal Krishna | Sciencx - » ASP.NET Core Identity User Locked out. [Internet]. [Accessed ]. Available from: https://www.scien.cx/2021/06/24/asp-net-core-identity-user-locked-out/
CHICAGO
" » ASP.NET Core Identity User Locked out." Nirmal Krishna | Sciencx - Accessed . https://www.scien.cx/2021/06/24/asp-net-core-identity-user-locked-out/
IEEE
" » ASP.NET Core Identity User Locked out." Nirmal Krishna | Sciencx [Online]. Available: https://www.scien.cx/2021/06/24/asp-net-core-identity-user-locked-out/. [Accessed: ]
rf:citation
» ASP.NET Core Identity User Locked out | Nirmal Krishna | Sciencx | https://www.scien.cx/2021/06/24/asp-net-core-identity-user-locked-out/ |

Please log in to upload a file.




There are no updates yet.
Click the Upload button above to add an update.

You must be logged in to translate posts. Please log in or register.