0

I have a requirement to prevent users from logging in to my ASP.NET Web API 2.0 Identity 3.0 backed website until an administrative account "activates" a user's confirmed registered ApplicationUser account.

I have implemented the EmailConfirmed logic to validate that the ApplicationUser account was registered with a working email address. Now I'm looking for an appropriate place to implement a check against the ApplicationUser.Activated property, that I have added, with behavior that prevents a login unless it has been set to true.

I've dug a little bit into the OAuthAuthorizationServerProvider class but I think I'm going to have to really take some time and understand OAuth 2.0 to get anywhere in there. Could anyone make a suggestion as to how and where to implement a test against an Activated property like this?

PS - I'm using bearer token authentication if that was not obvious.

jlavallet
  • 1,267
  • 1
  • 12
  • 33
  • If(appUser.Activated)? And where? Wherever you want to block them? – Andy Wiesendanger Sep 02 '15 at 16:03
  • The logic test you provided goes without saying. I'm asking where in the Identity 3.0 code do I add that test? ApplicationOAuthProvider.GrantResourceOwnerCredentials looks like a place to do it but that's not where EmailConfirmed is tested. – jlavallet Sep 02 '15 at 16:35
  • Well, it seems that I am able to get a bearer token for a user that has not yet validated his email address. It seems like this was not the case earlier but it appears to be the case now. – jlavallet Sep 02 '15 at 16:58

1 Answers1

0

Do one thing when user click on activation link which you send to the user .after click on that link redirect to page where you show one message "You are successfully resgistered" and on the page load you call to database and set activate column is true and put timer on that page and redirect user to login page.during login you can check the user status with email and password .if status is true that mean its registered user.

hope it will help.

Pankaj Gupta
  • 378
  • 2
  • 10
  • Thanks but I don't want the email validation to activate the user. I have the email validation covered already. What I want is for an administrator to activate the user and for the code to prevent logins by the user until he or she is activated by the administrator. – jlavallet Sep 02 '15 at 16:55
  • iI think it's very cumbersome better to add one more column in database "isactive" and make it false after click on user link set this column is true. – Pankaj Gupta Sep 02 '15 at 17:07
  • I have a requirement to prevent users from logging in to my ASP.NET Web API 2.0 Identity 3.0 backed website until an administrative account "activates" a user's confirmed registered ApplicationUser account. – jlavallet Sep 02 '15 at 17:13