I have a group of users who are our support staff. They should not be allowed to use external login. I can see that Identity can be configured to RequiredConfrmedEmail.
services.AddIdentity(config => config.SignIn.RequireConfirmedEmail = true)
If the users email is not confirmed then signin will return result.IsNotAllowed = false.
So my question is there a way to configure sigin to a custom requirement that being Supporter = false on ApplicationUser?
My current solution:
var result = await _signInManager.ExternalLoginSignInAsync(info.LoginProvider, info.ProviderKey, isPersistent: false, bypassTwoFactor: _configurationSettings.ThirdPartyLoginCanUse2Fa);
if (result.Succeeded)
{
// Todo can we make a policy that says supporter cant login using 3rd party apps.
var user = await _userManager.FindByLoginAsync(info.LoginProvider, info.ProviderKey);
if (!_configurationSettings.CanSupporterUse3RdPartyLogin && user.IsXenaSupporter)
{
ErrorMessage = $"Xena supporter may not login with {info.LoginProvider} provider.";
_logger.LogInformation($"User {user.Id} is Xena supporter and may not login with {info.LoginProvider} provider.");
return RedirectToAction(nameof(Login));
}
_logger.LogInformation($"User logged in with {info.LoginProvider} provider.");
return (returnUrl == null)
? RedirectToAction(nameof(Index), "Manage")
: RedirectToLocal(returnUrl);
}
My current solution isn't ideal as technically the user is signed in and I am going to have to force log them out somehow. Rather then just redirect them to login.
What i want is for ExternalLoginSignInAsync
to return result.IsNotAllowed
if user.IsXenaSupporter
is true.
I was able to extend the SignInManager.
public class ApplicationSignInManager : SignInManager<ApplicationUser>
{
private readonly ILogger _logger;
private readonly ConfigurationSettings _configurationSettings;
public ApplicationSignInManager(ConfigurationSettings configurationSettings, UserManager<ApplicationUser> userManager, IHttpContextAccessor contextAccessor, IUserClaimsPrincipalFactory<ApplicationUser> claimsFactory, IOptions<IdentityOptions> optionsAccessor,
ILogger<ApplicationSignInManager> logger, IAuthenticationSchemeProvider schemes) : base(userManager, contextAccessor, claimsFactory, optionsAccessor, logger, schemes)
{
_configurationSettings = configurationSettings;
_logger = logger;
}
public override async Task<SignInResult> ExternalLoginSignInAsync(string loginProvider, string providerKey, bool isPersistent, bool bypassTwoFactor)
{
var user = await UserManager.FindByLoginAsync(loginProvider, providerKey);
if (user == null)
{
return SignInResult.Failed;
}
var error = await PreSignInCheck(user);
if (error != null)
{
return error;
}
if (!_configurationSettings.CanSupporterUse3RdPartyLogin && user.IsXenaSupporter)
return SignInResult.NotAllowed;
return await SignInOrTwoFactorAsync(user, isPersistent, loginProvider, bypassTwoFactor);
}
}
Now when a user signs in i check that they are allowed.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.