I have a Blazor Server App that uses Microsoft.AspNetCore.Identity. A user authenticates (using IdentityServer) and can then view pages, depending on their roles. I check for roles in one of two ways. Either at the start of the page:
@attribute [Authorize(Roles = "some_user_role")]
or in code blocks:
<AuthorizeView Roles="some_user_role">
</AuthorizeView>
In my Startup.cs class, I have this:
public void ConfigureServices(IServiceCollection services)
{
//db connection stuff
services.AddDefaultIdentity<CustomUserContext>(options =>
options.SignIn.RequireConfirmedAccount = true)
.AddRoles<IdentityRole>()
.AddEntityFrameworkStores<ApplicationDbContext>()
.AddClaimsPrincipalFactory<UserClaimsPrincipalFactory<CustomUserContext>>();
// do other stuff
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
//other stuff
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
endpoints.MapBlazorHub();
endpoints.MapFallbackToPage("/_Host");
});
}
But, when I authenticate with my credentials, even though my account's EmailConfirmed is false, I can still access things that require "some_user_role" role. How do I enforce EmailConfirmed? Do I have to remove a users Roles until they confirm?
thanks
CodePudding user response:
Pretty much yes. Email confirmation has nothing to do with account working - and can be reset i.e. for an email change.
Do whatever your logic asks for.