identity server 4 + AspNetCore.Identity: how to lockout after X tries?

Question

I'm using identityServer4 with AspNetCore.Identity. my client are logging in using RequestClientCredentialsTokenAsync function. how can I defend myself from too many login tries?

MaxFailedAccessAttempts property, but it doesn't do anything.

Answer 1

It seems you are confusing things. So let me start with the terminology .

What is a client?

A client is a piece of software that requests tokens from IdentityServer.

What is a user?

A user is a human that is using a registered client to access resources.

The client is registered allowing certaingrant types :

Machine to Machine Communication :

Tokens are always requested on behalf of a client, no interactive user is present.

And when a user is involved: Interactive Clients .

This is the most common type of client scenario: web applications, SPAs or native/mobile apps with interactive users .

When you talk about RequestClientCredentialsTokenAsync then this indicates that you are using the ClientCredentials flow. A flow where a client is registered to allow the client credentials grant type.

As documented in this flow there is no interactive user present.

---

Now about the MaxFailedAccessAttempts property. This is part of the lockout options :

Gets or sets the number of failed access attempts allowed before a user is locked out, assuming lock out is enabled. Defaults to 5.

And here's the answer to why this property isn't working. The lockout options aren't relevant for the client credentials flow since there is no user present.

Now to answer your question: How can I defend myself from too many login tries?

A client login is not the same as a user login . There is no mechanism to lockout clients. If you want this functionality for a client then you'll have to extend IdentityServer.

But given your question, mentioning AspNetCore.Identity , it seems you should rather implement the correct flow where a user can login. Take a look at the samples .