2

I m watching strange behavior of ASP.NET Identity. It has standard feature for locking users. I want to lock user from server code explicitly to prevent his access to the site and WEB API. The code is trivial and works well:

  var userStore = new UserStore<User>(db);
  var userManager = new UserManager<User>(userStore);
  var result = userManager.SetLockoutEnabled(user.Id, true);
  result = userManager.SetLockoutEndDate(user.Id, DateTimeOffset.MaxValue);

After executing this snippet, I can see that user record in database updated properly. When I try to log on my site with credentials of this user, I receive correct message that user is locked out.

Next, I m trying to log on the same user through WEB API using a simple C# console client and get access token. 

  Dictionary<string, string> request = new Dictionary<string, string>();
  request.Add("grant_type", "password");
  request.Add("username", user);
  request.Add("password", pass);
  HttpContent con = new FormUrlEncodedContent(request);

  TokenModel tokenModel;
  using (HttpClient client = new HttpClient { BaseAddress = new Uri(url + "/Token") })
  {
    HttpResponseMessage responseMessage = await client.PostAsync("", con);
    string responseContent = await responseMessage.Content.ReadAsStringAsync();
    tokenModel = JsonConvert.DeserializeObject<TokenModel>(responseContent);
  }

To my surprise, logon succeeds and returns valid access token for this locked user! How is it possible? Am I missing something? Is it a bug in identity implementation?

I m using Visual Studio 2013 and latest ASP.NET Identity 2.2.1.

Boris Zinchenko
  • 2,142
  • 1
  • 24
  • 34
  • 1
    How are you getting a token? via `/token`? – trailmax Oct 20 '16 at 12:46
  • Possible duplicate of [ASP.net Identity Disable User](http://stackoverflow.com/questions/20803109/asp-net-identity-disable-user) –  Oct 20 '16 at 12:49
  • Yes we are using /Token by standard. I ve added client code to avoid any doubts. – Boris Zinchenko Oct 20 '16 at 12:51
  • Can you post the code in the action/method that is called for` /Token`? – Igor Oct 20 '16 at 12:53
  • A way to disable identity user is discussed in this post: ASP.net Identity Disable User (http://stackoverflow.com/questions/20803109/asp-net-identity-disable-user), which I have read carefully before asking this question. However, it does not mention or explain ridiculous situation when locked user cannot log on site but still can authorize through WEB API. – Boris Zinchenko Oct 20 '16 at 12:56
  • @Igor, I ve just updated the question with client code for clarity. – Boris Zinchenko Oct 20 '16 at 12:57
  • 2
    http://stackoverflow.com/a/23645326/490002 The full answer for your question is: "The default LockoutEnabled property for a User is not the property indicating if a user is currently being locked out or not. It's a property indicating if the user should be subject to lockout or not once the AccessFailedCount reaches the MaxFailedAccessAttemptsBeforeLockout value. Even if the user is locked out, its only a temporary measure to bar the user for the duration of LockedoutEnddateUtc property. So, to permanently disable or suspend a user account, you might want to introduce your own flag property." – Alexander Pavlenko Oct 20 '16 at 13:00
  • @Maybe, please consider that code in my question locks user through LockedoutEnddateUtc until year 10000. This is enough to consider lock permanent. More importantly, can anybody explain why user is, if fact, locked on web form but is NOT locked on WEB API ? – Boris Zinchenko Oct 20 '16 at 13:08

0 Answers0