Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How override ASP.NET Core Identity's password policy

By default, ASP.NET Core Identity's password policy require at least one special character, one uppercase letter, one number, ...

How can I change this restrictions ?

There is nothing about that in the documentation (https://docs.asp.net/en/latest/security/authentication/identity.html)

I try to override the Identity's User Manager but I don't see which method manages the password policy.

public class ApplicationUserManager : UserManager<ApplicationUser> {     public ApplicationUserManager(         DbContextOptions<SecurityDbContext> options,         IServiceProvider services,         IHttpContextAccessor contextAccessor,         ILogger<UserManager<ApplicationUser>> logger)         : base(               new UserStore<ApplicationUser>(new SecurityDbContext(contextAccessor)),               new CustomOptions(),               new PasswordHasher<ApplicationUser>(),               new UserValidator<ApplicationUser>[] { new UserValidator<ApplicationUser>() },               new PasswordValidator[] { new PasswordValidator() },               new UpperInvariantLookupNormalizer(),               new IdentityErrorDescriber(),               services,               logger             // , contextAccessor               )     {     }      public class PasswordValidator : IPasswordValidator<ApplicationUser>     {         public Task<IdentityResult> ValidateAsync(UserManager<ApplicationUser> manager, ApplicationUser user, string password)         {             return Task.Run(() =>             {                 if (password.Length >= 4) return IdentityResult.Success;                 else { return IdentityResult.Failed(new IdentityError { Code = "SHORTPASSWORD", Description = "Password too short" }); }             });         }     }      public class CustomOptions : IOptions<IdentityOptions>     {         public IdentityOptions Value { get; private set; }         public CustomOptions()         {             Value = new IdentityOptions             {                 ClaimsIdentity = new ClaimsIdentityOptions(),                 Cookies = new IdentityCookieOptions(),                 Lockout = new LockoutOptions(),                 Password = null,                 User = new UserOptions(),                 SignIn = new SignInOptions(),                 Tokens = new TokenOptions()             };         }     } } 

I add this user manager dependency in startup's class :

services.AddScoped<ApplicationUserManager>(); 

But when I'm using ApplicationUserManager in controllers, I have the error : An unhandled exception occurred while processing the request.

InvalidOperationException: Unable to resolve service for type 'Microsoft.EntityFrameworkCore.DbContextOptions`1[SecurityDbContext]' while attempting to activate 'ApplicationUserManager'.

EDIT: User's management works when I use the ASP.NET Core Identity's default classes, so it's not a database problem, or something like this

EDIT 2 : I found the solution, you have just to configure Identity in the startup's class. My answer gives some details.

like image 951
AdrienTorris Avatar asked Oct 03 '16 06:10

AdrienTorris


People also ask

What is lockout in asp net core?

The ASP.NET Core Identity has a User Lockout feature to improve application security by locking out a user that enters a password incorrectly several times. This technique is very useful in protecting against brute force attacks, where a hacker repeatedly tries to guess a password.


1 Answers

It's sooooo simple in the end ...

No need to override any class, you have just to configure the identity settings in your startup class, like this :

services.Configure<IdentityOptions>(options => {     options.Password.RequireDigit = false;     options.Password.RequiredLength = 5;     options.Password.RequireLowercase = true;     options.Password.RequireNonLetterOrDigit = true;     options.Password.RequireUppercase = false; }); 

Or you can configure identity when you add it :

services.AddIdentity<ApplicationUser, IdentityRole>(options=> {                 options.Password.RequireDigit = false;                 options.Password.RequiredLength = 4;                 options.Password.RequireNonAlphanumeric = false;                 options.Password.RequireUppercase = false;                 options.Password.RequireLowercase = false;             })                 .AddEntityFrameworkStores<SecurityDbContext>()                 .AddDefaultTokenProviders(); 

AS.NET Core is definitively good stuff ...

like image 177
AdrienTorris Avatar answered Oct 15 '22 16:10

AdrienTorris