Custom password sign in flow

[uhfath]

Is there an existing issue for this?

• [X] I have searched the existing issues

Is your feature request related to a problem? Please describe the problem.

This is somehow related to #5747 But with an idea for a user to setup a custom flow. Currently some methods for a TFA and lockout management are private in a SignInManager: https://github.com/dotnet/aspnetcore/blob/5a4c82ec57fadddef9ce841d608de5c7c8c74446/src/Identity/Core/src/SignInManager.cs#L373 Specifically IsTfaEnabled, ResetLockoutWithResult and IdentityResultException. Of course we can simply replicate them in our code, but that would require special care during sdk updates. Marking them protected in order to simply shuffle the sequence in CheckPasswordSignInAsync would be much better.

Describe the solution you'd like

Somehow changing the password sign in flow or marking some methods as protected instead of private to be able to use or override them.

For instance creating a flow in which a locked/blocked/unconfirmed/etc. errors are shown only if a correct password was supplied. Otherwise always return SignInResult.Failed error so an attacker couldn't distinguish between correct or invalid user names.

Additional context

No response

[ghost]

We've moved this issue to the Backlog milestone. This means that it is not going to be worked on for the coming release. We will reassess the backlog following the current release and consider this item at that time. To learn more about our issue management process and to have better expectation regarding different types of issues you can read our Triage Process.