我正在尝试在我的webapi的身份框架中实现锁定功能。我正在使用 oAuth 令牌 https://myapi.com/Token当用户身份验证在登录并获取令牌时失败时,它似乎不会影响数据库中的 AccessFailedCount 字段。 谷歌搜索并发现我需要使用 SigninManager 才能使用该功能。发行代币时有没有办法实现它?
感谢您的帮助
您需要
在UserManager上显式调用AccessFailedAsync:
if (userManager.SupportsUserLockout)
await userManager.AccessFailedAsync(user);
例如,在OpenIdConnectServerProvider.HandleTokenRequest上下文中,这可能如下所示:
var userManager =
context.HttpContext.RequestServices.GetRequiredService<UserManager<User>>();
var user = await userManager.FindByNameAsync(context.Request.Username);
if (userManager.SupportsUserLockout && await userManager.IsLockedOutAsync(user))
{
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidGrant,
description: "User locked out due to too many failed attempts. Try again later.");
return;
}
if (!await userManager.CheckPasswordAsync(user, context.Request.Password))
{
// If lockout is supported, increment access failed count
if (userManager.SupportsUserLockout)
await userManager.AccessFailedAsync(user);
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidGrant,
description: "The username or password was invalid");
return;
}