HaoK
commented
6 years ago Yes its meant to validate the password for a particular user, the default implementation doesn't use the user, but there were requests to make it possible to do things like password history requirements which may required access to the user, so its relevant to some validators, you can just ignore it if you don't need it in your validator
Here's a link to the corresponding function: https://github.com/aspnet/Identity/blob/5a2eb3becdf6e25601f984542fc2f95a780314f0/src/Core/PasswordValidator.cs#L39
My understanding is that this function checks whether a password is valid (regardless of the user). As far as I can tell, the input TUser user isn't used anywhere in the function. Using ValidateAsync(UserManager manager, string password) would be less verbose than the current ValidateAsync(UserManager manager, TUser user, string password) .
I'm using this function in my API to check whether passwords match complexity requirements. As it stands, I have to create a dummy new TUser() to run it.
Thanks for taking a look!