AuthenticateLocalAsync is vulnerable to a timing attack.
In IdentityServer3 the LoginLocal route can give away what accounts exist when used with AspNetIdentityUserService. When using a bad password entering an account that exists responds more quickly than an account that doesn't.
AuthenticateLocalAsync is vulnerable to a timing attack. In IdentityServer3 the LoginLocal route can give away what accounts exist when used with AspNetIdentityUserService. When using a bad password entering an account that exists responds more quickly than an account that doesn't.
See https://github.com/IdentityServer/IdentityServer3/pull/3423/commits/130acc0111fbe67b5c0f45c5048188bbabab0362 for an simple example of how to fix.