ASP.NET Core 3.1 - Enhanced User Without Identity

Ken Haggerty
Created 02/20/2021 - Updated 02/23/2021 23:40

This article introduces a series about implementing enhanced user features without ASP.NET Core Identity. I will assume you have downloaded the ASP.NET Core 3.1 - Users Without Identity Project or created a new ASP.NET Core 3.1 Razor Pages project. See Tutorial: Get started with Razor Pages in ASP.NET Core. You should review the earlier articles of the Users Without Identity Project series.

Users Without Identity Project and Article Series

This series will focus on allowing the user to self-serve password recovery and self-mitigate login issues. The 2FA series added a related AppUserToken model like ASP.NET Core Identity's UserToken. Identity implements 2FA RecoveryCodes and stores the user's AuthenticatorKey and the RecoveryCodes in the UserToken model. UWIP v2.0 and above implements 2FA RecoveryCodes but the AppUser model implements the AuthenticatorKey and RecoveryCodes properties. The AppUserToken model has been removed. The project adds properties to support a confirmed email address which is updatable, tracking failed login in attempts with a lockout pause, and forgot password recovery. This series describes the following features.

2FA Recovery Codes

The first time a user enables 2FA by configuring and verifying an Authenticator App, a set of recovery codes are generated. The codes are saved to a temp data property and the user is redirected to a ShowRecoveryCodes page which displays the codes from temp data. The codes are only displayed immediately after generation. Each recovery code can be used once to authorize the second factor of the user login when 2FA is enabled. The authorization is not persistent, and the client is not remembered. The Manage > TwoFactorAuthentication page checks the count of remaining codes and offers to generate new codes when the count is 3 or less.

Login Lockout

UWIP v2 implements AccessFailedCount and LockoutEndDate properties for the AppUser. The AccessFailedCount is incremented for every identifiable failed login attempt. The UserService implements maxFailedAccessAttempts = 5 and LockoutTimeSpan = TimeSpan. FromMinutes(15) properties. If the failed access count is greater than or equal to the configured maximum number of attempts, the user will be locked out for the configured lockout time span.

Created And Last Login Date

UWIP v2 implements CreatedDate and LastLoginDate properties for the AppUser. The UserService implements an UpdateAppUserLastLoginDateAsync function which is called when the user successfully logs in. This function not only updates the LastLoginDate, but it also resets the AccessFailedCount to 0.

Security Stamp

UWIP v2 implements a SecurityStamp property for the AppUser. The project has updated the ClaimsPrincipal by employing a security identifier claim (ClaimTypes.Sid) with the SecurityStamp value. The CookieValidator has been updated to validate the current SecurityStamp against the ClaimsPrincipal's ClaimTypes.Sid claim. The SecurityStamp is also used to generate and validate email confirmation and password reset tokens.

Token Service

UWIP v2 implements a TokenService class to generate and validate email confirmation and password reset tokens based on the SecurityStamp. The TokenService employs a ServiceCollection extension and options to override the default values for the length of time the token is valid.

Confirmed Email Address

UWIP v2 implements Email, EmailConfirmed, and UnconfirmedEmail properties for the AppUser. The project now implements a user registration page with an email address input. When a new user registers, an email is sent to the address with a link to a email confirmation page and a email confirmation token used to verify the user has access to the address. The email confirmation page sets the AppUser's EmailConfirmed to true if the token is verified. The user updates their confirmed email using the UnconfirmedEmail property.

Password Recovery

UWIP v2 implements a forgot password process. The user can request an email be sent to the confirmed email address with a link to a reset password page and a password reset token. If the token is verified, the user can replace the existing password with a new password.

Update 02/23/2021

I updated the article links.

Comment Count = 0

Please log in to comment.

Login Register
Logged in users receive web notifications.
Web Notifications