Web API 2 AccessFailedCount does not increase when using token based authentication
I am using Webapi with Identity2.0 AccessFailedCount, LockoutEndDateUtc does not affect invalid username and password. I am implementing token based authentication provided by WebAPI. Please, help.
here is the code snippet
using (UserManager<ApplicationUser> userManager = userManagerFactory)
{
ApplicationUser user = await userManager.FindAsync(context.UserName, context.Password);
if (user == null)
{
context.SetError("invalid_grant", "The user name or password is incorrect.");
return;
}
if (await userManager.IsLockedOutAsync(user.Id))
{
context.SetError("lock_out", "The account is locked.");
return;
}
if (!userManager.IsEmailConfirmed(user.Id))
{
context.SetError("inactive_user", "The user is not active. Please check your Register Email to verify.");
return;
}
ClaimsIdentity oAuthIdentity = await userManager.CreateIdentityAsync(user,
context.Options.AuthenticationType);
ClaimsIdentity cookiesIdentity = await userManager.CreateIdentityAsync(user,
CookieAuthenticationDefaults.AuthenticationType);
AuthenticationProperties properties = CreateProperties(user);
AuthenticationTicket ticket = new AuthenticationTicket(oAuthIdentity, properties);
context.Validated(ticket);
context.Request.Context.Authentication.SignIn(cookiesIdentity);
}
source to share
Finally I solved with this code
// To lock the user with userName ---- setting of maximum access 5 in IdentityConfig.cs File
ApplicationUser userToLock = await userManager.FindByNameAsync(context.UserName);
if (userToLock != null)
{
await userManager.AccessFailedAsync(userToLock.Id);
}
Now Access AccessFailedCount
, LockoutEndDateUtc
get value
Thanks for the help guys. Special thanks for @trailmax ... To take my mind off the webapi
source to share
To increment AccessFailedCount
for the user, every time the login is invalid, you need to call
await userManager.AccessFailedAsync(user.Id);
Otherwise it is not done for you in any way.
ApplicationSignInManager
does it for you, but (as far as I know) this class only works with MVC, not WebAPI
source to share
Hi, It may be too late, but I have some code from ASP.Net Identity 2.0 AccessFailedCount not incrementing
and configured for web API.
var userManager = context.OwinContext.GetUserManager<ApplicationUserManager>();
ApplicationUser user = await userManager.FindByNameAsync(context.UserName);
if (user == null)
{
context.SetError("invalid_grant", "The user name or password is incorrect.");
return;
}
bool EmailConfirmed = await userManager.IsEmailConfirmedAsync(user.Id);
if ( !EmailConfirmed)
{
context.SetError("inactive_user", "The user is not active. Please check your Register Email to verify.");
return;
}
bool LockedOut = await userManager.IsLockedOutAsync(user.Id);
if (userManager.SupportsUserLockout && LockedOut)
{
context.SetError("invalid_grant", "This account has been locked out, please try again later.");
return;
}
int FailedCount = await userManager.GetAccessFailedCountAsync(user.Id);
bool LockoutEnabled = await userManager.GetLockoutEnabledAsync(user.Id);
if (userManager.CheckPassword(user, context.Password))
{
if (userManager.SupportsUserLockout && LockoutEnabled && FailedCount > 0)
{
await userManager.ResetAccessFailedCountAsync(user.Id);
}
// Authenticate user
}
else
{
if (userManager.SupportsUserLockout && LockoutEnabled)
{
await userManager.AccessFailedAsync(user.Id);
}
context.SetError("invalid_grant", "The user name or password is incorrect.");
return;
}
source to share