Blazor and Microsoft.AspNetCore.Identity Requiring Email

Question

I have a Blazor Server App that uses Microsoft.AspNetCore.Identity. A user authenticates (using IdentityServer) and can then view pages, depending on their roles. I check for roles in one of two ways. Either at the start of the page:

@attribute [Authorize(Roles = "some_user_role")]

or in code blocks:

<AuthorizeView Roles="some_user_role">
</AuthorizeView>

In my Startup.cs class, I have this:

public void ConfigureServices(IServiceCollection services)
{
   //db connection stuff

   services.AddDefaultIdentity<CustomUserContext>(options =>
           options.SignIn.RequireConfirmedAccount = true)
        .AddRoles<IdentityRole>()
        .AddEntityFrameworkStores<ApplicationDbContext>()
        .AddClaimsPrincipalFactory<UserClaimsPrincipalFactory<CustomUserContext>>();
    // do other stuff
}
        
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    //other stuff
     app.UseRouting();
     app.UseAuthentication();
     app.UseAuthorization();           

     app.UseEndpoints(endpoints =>
     {               
          endpoints.MapControllers();
          endpoints.MapBlazorHub();
          endpoints.MapFallbackToPage("/_Host");
                
     });
}

But, when I authenticate with my credentials, even though my account's EmailConfirmed is false, I can still access things that require "some_user_role" role. How do I enforce EmailConfirmed? Do I have to remove a users Roles until they confirm?
thanks

You probably want to write you own middleware which checks just this. Authorization does not know how the user ended up authenticating. In the authentication process you check things like email confirmed. — Roy Berris, Oct 23 '21 at 18:57

score 0 · Accepted Answer · answered Oct 23 '21 at 17:56

0

Pretty much yes. Email confirmation has nothing to do with account working - and can be reset i.e. for an email change.

Do whatever your logic asks for.

answered Oct 23 '21 at 17:56

TomTom

61,059
10
88
148

thanks. But, then what is options.SignIn.RequireConfirmedAccount = true used for in the services.AddDefaultIdentity? – jason Oct 23 '21 at 18:10
@jason the default template enforces the RequireConfirmedAccount = true. However it also bypasses the code that sends the email and checks for receipt untill the middware is setup to do so. You will note when you create a new account using template code it simply give you a link to confirm your details without the email process. – Brian Parker Oct 24 '21 at 00:24
I am not sure if this is the correct way, but I ended up creating my own custom Authorization Requirement/Handler, similar to what was answered here: https://stackoverflow.com/questions/61959852/how-to-implement-custom-authorization-filter-for-blazor-page – jason Oct 24 '21 at 03:16

Blazor and Microsoft.AspNetCore.Identity Requiring Email

1 Answers1