I have a Blazor Server App that uses Microsoft.AspNetCore.Identity. A user authenticates (using IdentityServer) and can then view pages, depending on their roles. I check for roles in one of two ways. Either at the start of the page:

@attribute [Authorize(Roles = "some_user_role")]

or in code blocks:

<AuthorizeView Roles="some_user_role">
</AuthorizeView>

In my Startup.cs class, I have this:

public void ConfigureServices(IServiceCollection services)
{
   //db connection stuff

   services.AddDefaultIdentity<CustomUserContext>(options =>
           options.SignIn.RequireConfirmedAccount = true)
        .AddRoles<IdentityRole>()
        .AddEntityFrameworkStores<ApplicationDbContext>()
        .AddClaimsPrincipalFactory<UserClaimsPrincipalFactory<CustomUserContext>>();
    // do other stuff
}
        
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    //other stuff
     app.UseRouting();
     app.UseAuthentication();
     app.UseAuthorization();           

     app.UseEndpoints(endpoints =>
     {               
          endpoints.MapControllers();
          endpoints.MapBlazorHub();
          endpoints.MapFallbackToPage("/_Host");
                
     });
}

But, when I authenticate with my credentials, even though my account's EmailConfirmed is false, I can still access things that require "some_user_role" role. How do I enforce EmailConfirmed? Do I have to remove a users Roles until they confirm?
thanks

CodePudding user response：

Pretty much yes. Email confirmation has nothing to do with account working - and can be reset i.e. for an email change.

Do whatever your logic asks for.