我试图在我的webapi中实现Identity Framework中的锁定功能。我正在使用oAuth令牌https://myapi.com/Token 登录和获取令牌时用户身份验证失败时,它似乎不会影响数据库中的AccessFailedCount字段。用Google搜索并发现我需要使用SigninManager才能使用该功能。发行令牌时有没有办法实现它?
感谢您的帮助
答案 0 :(得分:0)
您需要在UserManager上明确调用AccessFailedAsync:
if (userManager.SupportsUserLockout)
await userManager.AccessFailedAsync(user);
例如,在OpenIdConnectServerProvider.HandleTokenRequest上下文中,这可能如下所示:
var userManager =
context.HttpContext.RequestServices.GetRequiredService<UserManager<User>>();
var user = await userManager.FindByNameAsync(context.Request.Username);
if (userManager.SupportsUserLockout && await userManager.IsLockedOutAsync(user))
{
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidGrant,
description: "User locked out due to too many failed attempts. Try again later.");
return;
}
if (!await userManager.CheckPasswordAsync(user, context.Request.Password))
{
// If lockout is supported, increment access failed count
if (userManager.SupportsUserLockout)
await userManager.AccessFailedAsync(user);
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidGrant,
description: "The username or password was invalid");
return;
}