简体繁体 English

身份服务器 4 + AspNetCore.Identity：X 尝试后如何锁定？

[英]identity server 4 + AspNetCore.Identity: how to lockout after X tries?

原文 2019-12-29 09:00:32 4 1 c#/ asp.net-identity/ identityserver4/ identity

I'm using identityServer4 with AspNetCore.Identity.我正在将 identityServer4 与 AspNetCore.Identity 一起使用。 my client are logging in using RequestClientCredentialsTokenAsync function.我的客户正在使用 RequestClientCredentialsTokenAsync 函数登录。 how can I defend myself from too many login tries?我如何保护自己免受过多的登录尝试？

MaxFailedAccessAttempts property, but it doesn't do anything. MaxFailedAccessAttempts属性，但它不执行任何操作。

1 个解决方案

It seems you are confusing things.看来你在混淆事情。 So let me start with the terminology .让我从术语开始。

What is a client?什么是客户？

A client is a piece of software that requests tokens from IdentityServer.客户端是一个从 IdentityServer 请求令牌的软件。

What is a user?什么是用户？

A user is a human that is using a registered client to access resources.用户是使用已注册的客户端访问的资源是人。

The client is registered allowing certaingrant types :客户端注册允许某些授权类型：

Machine to Machine Communication :机器对机器通信：

Tokens are always requested on behalf of a client, no interactive user is present.始终代表客户端请求令牌，不存在交互式用户。

And when a user is involved: Interactive Clients .当涉及用户时：交互式客户端。

This is the most common type of client scenario: web applications, SPAs or native/mobile apps with interactive users .这是最常见的客户端场景类型：具有交互式用户的Web 应用程序、SPA 或本机/移动应用程序。

When you talk about RequestClientCredentialsTokenAsync then this indicates that you are using the ClientCredentials flow.当你谈论RequestClientCredentialsTokenAsync则表明您使用的是ClientCredentials流动。 A flow where a client is registered to allow the client credentials grant type.客户端注册以允许客户端凭据授予类型的流。

As documented in this flow there is no interactive user present.如本流程所述，不存在交互式用户。

Now about the MaxFailedAccessAttempts property.现在关于MaxFailedAccessAttempts属性。 This is part of the lockout options :这是锁定选项的一部分：

Gets or sets the number of failed access attempts allowed before a user is locked out, assuming lock out is enabled.获取或设置在用户被锁定之前允许的失败访问尝试次数（假设已启用锁定）。 Defaults to 5.默认为 5。

And here's the answer to why this property isn't working.这是为什么此属性不起作用的答案。 The lockout options aren't relevant for the client credentials flow since there is no user present.锁定选项与客户端凭据流无关，因为没有用户存在。

Now to answer your question: How can I defend myself from too many login tries?现在回答您的问题：我如何保护自己免受过多的登录尝试？

A client login is not the same as a user login .客户端登录与用户登录不同。 There is no mechanism to lockout clients.没有锁定客户端的机制。 If you want this functionality for a client then you'll have to extend IdentityServer.如果您想为客户端提供此功能，则必须扩展 IdentityServer。

But given your question, mentioning AspNetCore.Identity , it seems you should rather implement the correct flow where a user can login.但是鉴于您的问题，提到AspNetCore.Identity ，您似乎更应该实现用户可以登录的正确流程。 Take a look at the samples .看看样品。