11 KiB
| title | author | description | ms.author | ms.date | uid |
|---|---|---|---|---|---|
| Configure ASP.NET Core Identity | AdrienTorris | Understand ASP.NET Core Identity default values and learn how to configure Identity properties to use custom values. | riande | 08/14/2018 | security/authentication/identity-configuration |
Configure ASP.NET Core Identity
ASP.NET Core Identity uses default values for settings such as password policy, lockout, and cookie configuration. These settings can be overridden in the Startup class.
Identity options
The IdentityOptions class represents the options that can be used to configure the Identity system. IdentityOptions must be set after calling AddIdentity or AddDefaultIdentity.
Claims Identity
IdentityOptions.ClaimsIdentity specifies the ClaimsIdentityOptions with the properties shown in the following table.
| Property | Description | Default |
|---|---|---|
| RoleClaimType | Gets or sets the claim type used for a role claim. | ClaimTypes.Role |
| SecurityStampClaimType | Gets or sets the claim type used for the security stamp claim. | AspNet.Identity.SecurityStamp |
| UserIdClaimType | Gets or sets the claim type used for the user identifier claim. | ClaimTypes.NameIdentifier |
| UserNameClaimType | Gets or sets the claim type used for the user name claim. | ClaimTypes.Name |
Lockout
Lockout is set in the PasswordSignInAsync method:
The preceding code is based on the Login Identity template.
Lockout options are set in StartUp.ConfigureServices:
The preceding code sets the IdentityOptions LockoutOptions with default values.
A successful authentication resets the failed access attempts count and resets the clock.
IdentityOptions.Lockout specifies the LockoutOptions with the properties shown in the table.
| Property | Description | Default |
|---|---|---|
| AllowedForNewUsers | Determines if a new user can be locked out. | true |
| DefaultLockoutTimeSpan | The amount of time a user is locked out when a lockout occurs. | 5 minutes |
| MaxFailedAccessAttempts | The number of failed access attempts until a user is locked out, if lockout is enabled. | 5 |
Password
By default, Identity requires that passwords contain an uppercase character, lowercase character, a digit, and a non-alphanumeric character. Passwords must be at least six characters long. PasswordOptions can be set in Startup.ConfigureServices.
::: moniker range=">= aspnetcore-2.1"
::: moniker-end
::: moniker range="= aspnetcore-2.0" [!code-csharp]
::: moniker-end
::: moniker range="<= aspnetcore-1.1"
::: moniker-end
IdentityOptions.Password specifies the PasswordOptions with the properties shown in the table.
| Property | Description | Default |
|---|---|---|
| RequireDigit | Requires a number between 0-9 in the password. | true |
| RequiredLength | The minimum length of the password. | 6 |
::: moniker range=">= aspnetcore-2.0"
| RequiredUniqueChars | Only applies to ASP.NET Core 2.0 or later.
Requires the number of distinct characters in the password. | 1 |
::: moniker-end
| RequireLowercase | Requires a lowercase character in the password. | true |
| RequireNonAlphanumeric | Requires a non-alphanumeric character in the password. | true |
| RequireUppercase | Requires an uppercase character in the password. | true |
Sign-in
The following code sets SignIn settings (to default values):
::: moniker range=">= aspnetcore-2.1"
::: moniker-end
::: moniker range="<= aspnetcore-2.0" [!code-csharp]
::: moniker-end
IdentityOptions.SignIn specifies the SignInOptions with the properties shown in the table.
| Property | Description | Default |
|---|---|---|
| RequireConfirmedEmail | Requires a confirmed email to sign in. | false |
| RequireConfirmedPhoneNumber | Requires a confirmed phone number to sign in. | false |
Tokens
IdentityOptions.Tokens specifies the TokenOptions with the properties shown in the table.
| Property | Description |
|---|---|
| AuthenticatorTokenProvider | Gets or sets the AuthenticatorTokenProvider used to validate two-factor sign-ins with an authenticator. |
| ChangeEmailTokenProvider | Gets or sets the ChangeEmailTokenProvider used to generate tokens used in email change confirmation emails. |
| ChangePhoneNumberTokenProvider | Gets or sets the ChangePhoneNumberTokenProvider used to generate tokens used when changing phone numbers. |
| EmailConfirmationTokenProvider | Gets or sets the token provider used to generate tokens used in account confirmation emails. |
| PasswordResetTokenProvider | Gets or sets the IUserTwoFactorTokenProvider used to generate tokens used in password reset emails. |
| ProviderMap | Used to construct a User Token Provider with the key used as the provider's name. |
User
IdentityOptions.User specifies the UserOptions with the properties shown in the table.
| Property | Description | Default |
|---|---|---|
| AllowedUserNameCharacters | Allowed characters in the username. | abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ 0123456789 -._@+ |
| RequireUniqueEmail | Requires each user to have a unique email. | false |
Cookie settings
Configure the app's cookie in Startup.ConfigureServices. ConfigureApplicationCookie must be called after calling AddIdentity or AddDefaultIdentity.
::: moniker range=">= aspnetcore-2.1" [!code-csharp]
::: moniker-end ::: moniker range="= aspnetcore-2.0"
::: moniker-end
::: moniker range="<= aspnetcore-1.1"
::: moniker-end
For more information, see CookieAuthenticationOptions.