brockallen
commented
8 years ago UserLockout has to do with password guessing, not if the user has been marked "disabled". I can imagine a DOS attack if we did this.
Closed pawepaw closed 8 years ago
brockallen
commented
8 years ago UserLockout has to do with password guessing, not if the user has been marked "disabled". I can imagine a DOS attack if we did this.
Hello,
In user service isActive method you check only for security_stamp changes. https://github.com/IdentityServer/IdentityServer3.AspNetIdentity/blob/2ece9371e67e3ed4d4e5dbd0f4acdc89b33da166/source/IdentityServer3.AspNetIdentity/IdentityServer3.AspNetIdentity.cs#L413
But during log in you check for UserLockout https://github.com/IdentityServer/IdentityServer3.AspNetIdentity/blob/2ece9371e67e3ed4d4e5dbd0f4acdc89b33da166/source/IdentityServer3.AspNetIdentity/IdentityServer3.AspNetIdentity.cs#L207
Shouldn't you also check for UserLockout in IsActive method? I understand that you assume that if security_stamp changed that means user has changed but it doesn't have to mean that he is locked (he could change password or do other action to his account).