danroth27
commented
7 years ago @HaoK
Closed Ponant closed 7 years ago
danroth27
commented
7 years ago @HaoK
HaoK
commented
7 years ago The idea is that no SignInManager apis that return SignInResults will allow sign in for users who don't have confirmed emails. They will return NotAllowed.
Why do you set RequireConfirmedEmail to true, if you don't want to ensure all users's have confirmed emails?
brockallen
commented
7 years ago Email is needed for password reset. If you use an external provider you have no password. That's why this flag makes little sense for users that only have external accounts (and no password).
HaoK
commented
7 years ago So the underlying issue is that SignInManager.ExternalSignIn should not block sign's based on this flag.
blowdart
commented
7 years ago Yea, we need to separate out confirmed account and confirmed email. Then confirmed email address can be used for things like marketing emails, and keep the EU regulations happy, as well as password resets. Confirmed account would be separate, and set on either an email link click for local accounts, or always for external logins (by default). This will take changes in identity as well as the templates.
HaoK
commented
7 years ago 
Ponant
commented
7 years ago Yes as said above, I already mentioned EU regulations in some other issue.
If we set
RequireConfirmedEmail=true, a user logging in via an external provider will eternally loop on theAccount/ExternalLoginConfirmationpage and will be replied that the UserName is already taken (at second login). This makes little sense to me because a user using an external provider is using it to avoid all the fuzz around email confirmation.