发表新帖
发表新帖

How override ASP.NET Core Identity's password policy

后端 未结
关注
4 823
既然无缘
既然无缘 2020-12-04 18:51

By default, ASP.NET Core Identity\'s password policy require at least one special character, one uppercase letter, one number, ...

How can I change this restrictions

相关标签:
4条回答
  • 野趣味
    2020-12-04 19:31

    Additional Requirement:

    If you feel this password constraint is not enough, You can define your own conditions by inheriting the PasswordValidator class.

    Sample implementation :

    public class CustomPasswordPolicy : PasswordValidator<AppUser>
    {
        public override async Task<IdentityResult> ValidateAsync(UserManager<AppUser> manager, AppUser user, string password)
        {
            IdentityResult result = await base.ValidateAsync(manager, user, password);
            List<IdentityError> errors = result.Succeeded ? new List<IdentityError>() : result.Errors.ToList();

            if (password.ToLower().Contains(user.UserName.ToLower()))
            {
                errors.Add(new IdentityError
                {
                    Description = "Password cannot contain username"
                });
            }
            if (password.Contains("123"))
            {
                errors.Add(new IdentityError
                {
                    Description = "Password cannot contain 123 numeric sequence"
                });
            }
            return errors.Count == 0 ? IdentityResult.Success : IdentityResult.Failed(errors.ToArray());
        }
    }

    I have override the ValidateAsync method in my class, and inside this method I am implementing my custom password policy.

    Very Very Important

    • The first code line within ValidateAsync()

    IdentityResult result = await base.ValidateAsync(manager, user, password); :

    Validates the password according to the password rules given in the ConfigureServices method of Statup class (the one showed in the old answers for this post)

    • The password validation functionality is defined by the IPasswordValidator interface in the Microsoft.AspNetCore.Identity namespace. So I need to register my ‘CustomPasswordPolicy’ class as the password validator for ‘AppUser’ objects.
        services.AddTransient<IPasswordValidator<AppUser>, CustomPasswordPolicy>();
            services.AddDbContext<AppIdentityDbContext>(options => options.UseSqlServer(Configuration["ConnectionStrings:DefaultConnection"]));
            services.AddIdentity<AppUser, IdentityRole>(opts =>
            {
                opts.Password.RequiredLength = 8;
                opts.Password.RequireNonAlphanumeric = true;
                opts.Password.RequireLowercase = false;
                opts.Password.RequireUppercase = true;
                opts.Password.RequireDigit = true;
            }).AddEntityFrameworkStores<AppIdentityDbContext>().AddDefaultTokenProviders();

    Offical Github Documentation of PasswordValidator.cs (for better understanding): here

    0 讨论(0)
  • 逝去的感伤
    2020-12-04 19:36

    You can modify these rules in IdentityConfig.cs file. The rules are defined in 

    public static ApplicationUserManager Create(IdentityFactoryOptions<ApplicationUserManager> options, IOwinContext context)
{
    var manager = new ApplicationUserManager(new UserStore<ApplicationUser>(context.Get<ApplicationDbContext>()));
    // Configure validation logic for usernames
    manager.UserValidator = new UserValidator<ApplicationUser>(manager)
    {
        AllowOnlyAlphanumericUserNames = false,
        RequireUniqueEmail = true
    };

    // Configure validation logic for passwords
    manager.PasswordValidator = new PasswordValidator
    {
        RequiredLength = 5,
        RequireNonLetterOrDigit = false,
        RequireDigit = true,
        RequireLowercase = true,
        RequireUppercase = true,
    };
}
    0 讨论(0)
  • 滥情空心
    2020-12-04 19:43

    It's sooooo simple in the end ...

    No need to override any class, you have just to configure the identity settings in your startup class, like this :

    services.Configure<IdentityOptions>(options =>
{
    options.Password.RequireDigit = false;
    options.Password.RequiredLength = 5;
    options.Password.RequireLowercase = true;
    options.Password.RequireNonLetterOrDigit = true;
    options.Password.RequireUppercase = false;
});

    Or you can configure identity when you add it :

    services.AddIdentity<ApplicationUser, IdentityRole>(options=> {
                options.Password.RequireDigit = false;
                options.Password.RequiredLength = 4;
                options.Password.RequireNonAlphanumeric = false;
                options.Password.RequireUppercase = false;
                options.Password.RequireLowercase = false;
            })
                .AddEntityFrameworkStores<SecurityDbContext>()
                .AddDefaultTokenProviders();

    AS.NET Core is definitively good stuff ...

    0 讨论(0)
  • 醉话见心
    2020-12-04 19:48

    simplest way for developers is

    services.AddDefaultIdentity<IdentityUser>(options =>
{
  options.SignIn.RequireConfirmedAccount = true;
  options.Password.RequireDigit = false;
  options.Password.RequireNonAlphanumeric = false;
  options.Password.RequireUppercase = false;
  options.Password.RequireLowercase = false;
})
  .AddEntityFrameworkStores<ApplicationDbContext>();

    only Password.RequiredLength can not be changed in this way, it still eqiual 6.

    0 讨论(0)
 看不清?
提交回复
热议问题