0

I have a project where I am using ASP.NET Core Identity (with IdentityServer4) for user authentication.

When I use ChangePasswordAsync to change password, it is allowing the new password to be the same as the current password. Is there a way to prevent this?

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Sarahbe
  • 123
  • 1
  • 16
  • Share your code that is being used to change your password. – TanvirArjel Nov 15 '20 at 14:57
  • you could implement in the controller, if there's one, to prevent old password == new password. If you would like to implement on identity API itself, try https://stackoverflow.com/questions/42787120 . Moreover, i believe you might be intereseted in password reuse policy, for your reference: https://stackoverflow.com/questions/15065429/ and https://stackoverflow.com/questions/48783202/ – wuiyang Nov 15 '20 at 19:54
  • I was trying to avoid implementing password validator, but as I see now, there's no other option but using it. – Sarahbe Nov 16 '20 at 04:34
  • Thank you very much for extra resources. – Sarahbe Nov 16 '20 at 04:40
  • using old password == new password. is not an option because it will compare the two passwords without validating the password. so if the user enters a random word(not the correct password) in current and new password, a warning will be shown, which doesn't make sense. – Sarahbe Nov 16 '20 at 04:53
  • In my opinion, you could create a custom password validator and use JS ajax to call the server validator. – Brando Zhang Nov 19 '20 at 05:35

1 Answers1

0

Adding a custom password validator in which you can do a Login-Request with username + the new password.

If this Login is successful then the password hasn't changed.

Kay Meister
  • 61
  • 1
  • 3