Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Token endpoint and locked account

See original GitHub issue

Hi I have a problem with token endpoint. I created custom controller action for token endpoint like in readme. I made few changes for account locking system:

                // IF PASSWORD NOT CORRECT
                if (!await _userManager.CheckPasswordAsync(user, request.Password))
                {
                    if (_userManager.SupportsUserLockout)
                    {
                        await _userManager.AccessFailedAsync(user);
                    }
                    var failedAttempts = await _userManager.GetAccessFailedCountAsync(user);
                    var passwordInvalid = new ErrorViewModel()
                    {
                        Error = "Invalid grant",
                        ErrorDescription = String.Format("Password incorrect!  {0} z 5 attempts.", failedAttempts )
                    };
                    return Json(passwordInvalid);
                }

                // IF ACCOUNT LOCKED
                if (!await _userManager.IsLockedOutAsync(user))
                {
                    var lockoutEndTime = await _userManager.GetLockoutEndDateAsync(user);

                    var accountLocked = new ErrorViewModel()
                    {
                        Error = "Invalid grant",
                        ErrorDescription = "Account locked! Wait " + lockoutEndTime.Value.Minute + "minutes."
                    };
                    return Json(accountLocked);
                }

Unless user reach limit of attempts all is fine, but when user account is locked server not hit my action. I’m getting 400 (Bad Request), but it’s not my response:

{
error:"invalid_grant"
error_description:"Account locked out."
}

Issue Analytics

State:
Created 7 years ago
Comments:5 (3 by maintainers)

Top GitHub Comments

1reaction

kevinchaletcommented, Sep 7, 2016

Okay, I’m sold, let’s remove the internal check. I’ll work on that in the next few days.

0reactions

kevinchaletcommented, Sep 9, 2016

Fixed by https://github.com/openiddict/openiddict-core/issues/220.

Top Results From Across the Web

Revoke all refresh tokens when account locked?

Scenario: a user enters his password incorrectly x times, so his account is locked for y minutes. Should I revoke all his refresh...

Azure AD not invalidating access/refresh token if the user is ...

The access token/refresh token will available in token's lifetime . Log out the web application and block the account won't revoke the token...

Token Best Practices

Lists best practices when using tokens in authentication and ... That's controlled by the scope parameter sent in the login request (either using...

What's the token expiration for Universal Login?

I can see that the universal login is based on lock, as it loads the lock script: ... Just call the token endpoint...

Post-Authorization token endpoint

The token endpoint URL is normally obtained from the initial unauthenticated call described at Bootstrapping OAuth2.

Troubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.

Start Free

Top Related Reddit Thread

No results found

Top Related Tweet

No results found

Top Related Dev.to Post

No results found

Token endpoint and locked account

Issue Analytics

Top GitHub Comments

Top Results From Across the Web

Top Related Medium Post

Top Related StackOverflow Question

Troubleshoot Live Code

Top Related Reddit Thread

Top Related Hackernoon Post

Top Related Tweet

Top Related Dev.to Post

Top Related Hashnode Post

JWT Access and Refresh Token Expiration

using refresh_token to get access_token does not contain previous claims