Support password expiration about aspnetcore HOT 30 OPEN

I had to extend the code to support password force change so IMO this would be a great one to add. The logic to support force password change is fairly simple. Certainly the complexity comes in when you want to add tunable expiration logic and password history (which could be added later).

I'm actually using external logic in a scheduled task to figure out when to expire users' passwords. My current iteration of expiring passwords is because we made the password rules more complex and wanted to force all users to update to the more complex passwords

from aspnetcore.

See, we planned ahead. Genius!

from aspnetcore.

2.2

from aspnetcore.

PCI demands users to update the password and also its a best practice being enforced in most of the enterprise systems. Regardless of the business requirement, I guess this is most wanted feature for an identity framework.

Any update please?

@Janidbest there are more and more security papers and best-practice recommendations to no longer enforce password expiration.
e.g. https://www.sans.org/security-awareness-training/blog/time-password-expiration-die
or directly from Microsoft:
https://www.microsoft.com/en-us/research/publication/password-guidance

from aspnetcore.

IMO, this feature can be implemented by an intern taking minimum wage at a high school relationship tech company, under 30 min

from aspnetcore.

+1! The feature would be nice for those who need a quick way to expire a user password after having an admin manually reset it to "Password" or some other simple one. At least it will be some modicum of security for low-level non-critical apps.

from aspnetcore.

Hey,

Any news on this one guys? Would be a great feature to include.

from aspnetcore.

@blowdart thoughts?

from aspnetcore.

Yea, we ought to, it'll need template support as well, so, 1.2?

from aspnetcore.

@blowdart @divega what kind of password expiration do we want to support. Cheapest would be just adding a UserManager API to force expire passwords, and a new method to query for expired passwords.

Or we could go for something more involved like automatic password expiration policies, involving last password change dates etc. If we are going to be updating the schema with things like CreatedDate/LastSignInDate, LastPasswordChangeDate isn't the worst to add at this time either.

from aspnetcore.

FWIW, a client of mine required this feature and I ended up extending the data model exactly as you mentioned in your second recommendation above.

from aspnetcore.

@blowdart @divega should we continue to add optional interfaces to add these features in a non breaking way, or can we update our existing interfaces to require this functionality in stores for 2.0?

from aspnetcore.

This boils down to if we are going to add IUserLastPasswordChangeStore vs adding the methods to IUserPasswordStore, and similarly for CreatedDate/SignInDate with new stores or updating any existing interface

from aspnetcore.

Non breaking. Probably need some other infrastructure too, like password history.

from aspnetcore.

Good thing your password validator accepts the user as a param and not just the password :P

from aspnetcore.

Hi!
Is there any news about this feature?

from aspnetcore.

This is unlikely to be coming in 2.1 since this requires scheme changes to implement

from aspnetcore.

from aspnetcore.

@blowdart punt to backlog or 2.2?

from aspnetcore.

Requires more schema changes

from aspnetcore.

If we ever add this feature, we should probably support using it as part of the default UI as well.

from aspnetcore.

It seems to me this is quite handy and especially regarding the Dates involved (LastSigninDate etc.) there is no easy way to implement this as a consumer of the library without overriding everything from the UserManager, SigninManager, UserStore, CustomApplcationUser

Could this potentially be done in two phases so we can build on top. First part could be included into 2.2 and have only containing the changes around IUserActivityStore<TUser>.

from aspnetcore.

Hi,Everybody
please give more details about password expired date

from aspnetcore.

PCI demands users to update the password and also its a best practice being enforced in most of the enterprise systems. Regardless of the business requirement, I guess this is most wanted feature for an identity framework.

Any update please?

Does not want to duplicate code. ( which I already have two-factor implemented prior release).

I did a quick implementation i.e. UserManager - CreateAsync to add PasswordExpiryEnabled and PasswordEnd as per the configuration to AspNetUser. Then on login signInManager.CheckPasswordSignInAsync following a conditional check before signInManager.SignInAsync.

This seems to work however its good to have this included in the framework.

from aspnetcore.

There is another problem with the above approach mentioned to handle password expiration.
The problem is we can not have two-factor authentication. Because when we do a check on the VerifyCode page using the below , user always returns null.

var user = await signInManager.GetTwoFactorAuthenticationUserAsync();
Thats because the user signin but not for twofactor signin.
The method unfortunately private, and can't think of any work around.
private async Task<SignInResult> SignInOrTwoFactorAsync(TUser user, bool isPersistent, string loginProvider = null, bool bypassTwoFactor = false)

So I guess we need the framework to have this functionality built in.

from aspnetcore.

in the interim as a work around, I'm using the below (it seems to work for now)

  //handle two-factor authentication
                    if (user.TwoFactorEnabled )
                    {
                        await signInManager.PasswordSignInAsync(user, model.NewPassword, model.IsPersistent, true);
                        return await TwoFactorAuthenticationHandler(user, model.IsPersistent, model.ReturnUrl);
                    }
                    else {

                        await signInManager.SignInAsync(user, model.IsPersistent);
                        await appUserService.ManagePasswordExpiryAsync(user);                     

                        return RedirectToLocal(model.ReturnUrl);
                    }`
```

from aspnetcore.

Hi @blowdart ! Is there something in 3.0 preview already ?

from aspnetcore.

No, other things took precedence, and identity gets no extra features for 3.0, hence it going to backlog for now.

from aspnetcore.

Hi! Is there any news about this feature?

from aspnetcore.

as the last issue currently standing in the repository, I press F for condolences

from aspnetcore.