How to setup password expiration using ASP.NET Identity Framework - Printable Version +- 0Day Forums (https://0day.red) +-- Forum: Coding (https://0day.red/Forum-Coding) +--- Forum: Asp.Net (https://0day.red/Forum-Asp-Net) +--- Thread: How to setup password expiration using ASP.NET Identity Framework (/Thread-How-to-setup-password-expiration-using-ASP-NET-Identity-Framework) |
How to setup password expiration using ASP.NET Identity Framework - verbally57136 - 07-23-2023 I have a ASP.NET project using Identity. For Identity Configuration regarding passwords, the `PasswordValidator` is being used. How do I expand the enforcement of password beyond what `PasswordValidator` has currently (`RequiredLength`, `RequiredDigit`, etc.) to satisfy a requirement that asks for password expiration after N days? RE: How to setup password expiration using ASP.NET Identity Framework - staceyfusvrckvhn - 07-23-2023 There is no such functionality builtin ASP.NET Identity 2. Easiest is to add a field on the user like **LastPasswordChangedDate**. And then check this field during each Authorization. public class ApplicationOAuthProvider : OAuthAuthorizationServerProvider { public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context) { var user = await GetUser(context.UserName, context.Password); if(user.LastPasswordChangedDate.AddDays(20) < DateTime.Now) // user needs to change password } } RE: How to setup password expiration using ASP.NET Identity Framework - recollect950 - 07-23-2023 Adding on to @Rikard's answer... I added `LastPasswordChangedDate` to my `ApplicationUser` model, like so: public class ApplicationUser : IdentityUser { public DateTime LastPasswordChangedDate { get; set; } public async Task<ClaimsIdentity> GenerateUserIdentityAsync(UserManager<ApplicationUser> manager) { // Note the authenticationType must match the one defined in CookieAuthenticationOptions.AuthenticationType var userIdentity = await manager.CreateIdentityAsync(this, DefaultAuthenticationTypes.ApplicationCookie); // Add custom user claims here return userIdentity; } } Add a static configuration setting to `AccountController` (you'll need this later on in `Login()`: private static readonly int PasswordExpireDays = Convert.ToInt32(ConfigurationManager.AppSettings["PasswordExpireDays"]); Then, during `Login`, check to see if the user should reset password. This only checks after a successful login, as to not bug user too much. [HttpPost] [AllowAnonymous] [ValidateAntiForgeryToken] public async Task<ActionResult> Login(LoginViewModel model, string returnUrl) { if (!ModelState.IsValid) { return View(model); } // This doesn't count login failures towards account lockout // To enable password failures to trigger account lockout, change to shouldLockout: true var result = await SignInManager.PasswordSignInAsync(model.Email, model.Password, model.RememberMe, shouldLockout: false); switch (result) { case SignInStatus.Success: var user = await UserManager.FindByNameAsync(model.Email); if (user.LastPasswordChangedDate.AddDays(PasswordExpireDays) < DateTime.UtcNow) { return RedirectToAction("ChangePassword", "Manage"); } else { return RedirectToLocal(returnUrl); } case SignInStatus.LockedOut: return View("Lockout"); case SignInStatus.RequiresVerification: return RedirectToAction("SendCode", new { ReturnUrl = returnUrl, RememberMe = model.RememberMe }); case SignInStatus.Failure: default: ModelState.AddModelError("", "Error: Invalid username or password"); return View(model); } } Make sure to update the `LastPasswordChangedDate` when the user successfully updates password, in ManageController, ChangePassword action: [HttpPost] [ValidateAntiForgeryToken] public async Task<ActionResult> ChangePassword(ChangePasswordViewModel model) { if (!ModelState.IsValid) { return View(model); } var result = await UserManager.ChangePasswordAsync(User.Identity.GetUserId(), model.OldPassword, model.NewPassword); if (result.Succeeded) { var user = await UserManager.FindByIdAsync(User.Identity.GetUserId()); if (user != null) { user.LastPasswordChangedDate = DateTime.UtcNow; await UserManager.UpdateAsync(user); await SignInManager.SignInAsync(user, isPersistent: false, rememberBrowser: false); } return RedirectToAction("Index", new { Message = ManageMessageId.ChangePasswordSuccess }); } AddErrors(result); return View(model); } |