Configure Identity

ASP.NET Core Identity has common behaviors in applications such as password policy, lockout time, and cookie settings that you can override easily in your application's Startup class.

Passwords policy

By default, Identity requires that passwords contain an uppercase character, lowercase character, a digit, and a non-alphanumeric character. There are also some other restrictions. To simplify password restrictions, modify the ConfigureServices method of the Startup class of your application.

ASP.NET Core 2.0 added the RequiredUniqueChars property. Otherwise, the options are the same from ASP.NET Core 1.x.

services.AddIdentity<ApplicationUser, IdentityRole>(options =>
        // Password settings
        options.Password.RequireDigit = true;
        options.Password.RequiredLength = 8; 
        options.Password.RequireNonAlphanumeric = true;
        options.Password.RequireUppercase = true;
        options.Password.RequireLowercase = true;
        options.Password.RequiredUniqueChars = 2;

IdentityOptions.Password has the following properties:

Property Description Default
RequireDigit Requires a number between 0-9 in the password. true
RequiredLength The minimum length of the password. 6
RequireNonAlphanumeric Requires a non-alphanumeric character in the password. true
RequireUppercase Requires an upper case character in the password. true
RequireLowercase Requires a lower case character in the password. true
RequiredUniqueChars Requires the number of distinct characters in the password. 1

User's lockout

services.AddIdentity<ApplicationUser, IdentityRole>(options =>
        // Lockout settings
        options.Lockout.DefaultLockoutTimeSpan = TimeSpan.FromMinutes(5);
        options.Lockout.MaxFailedAccessAttempts = 5; 
        options.Lockout.AllowedForNewUsers = true;

IdentityOptions.Lockout has the following properties:

Property Description Default
DefaultLockoutTimeSpan The amount of time a user is locked out when a lockout occurs. 5 minutes
MaxFailedAccessAttempts The number of failed access attempts until a user is locked out, if lockout is enabled. 5
AllowedForNewUsers Determines if a new user can be locked out. true

Sign in settings

services.AddIdentity<ApplicationUser, IdentityRole>(options =>
        // Signin settings
        options.SignIn.RequireConfirmedEmail = true;
        options.SignIn.RequireConfirmedPhoneNumber = false;

IdentityOptions.SignIn has the following properties:

Property Description Default
RequireConfirmedEmail Requires a confirmed email to sign in. false
RequireConfirmedPhoneNumber Requires a confirmed phone number to sign in. false

User validation settings

services.AddIdentity<ApplicationUser, IdentityRole>(options =>
        // User settings
        options.User.RequireUniqueEmail = true;

IdentityOptions.User has the following properties:

Property Description Default
RequireUniqueEmail Requires each User to have a unique email. false
AllowedUserNameCharacters Allowed characters in the username. abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._@+

Like the passwords policy, all the settings of the application's cookie can be changed in the Startup class.

Under ConfigureServices in the Startup class, you can configure the application's cookie.

services.ConfigureApplicationCookie(options =>
    options.Cookie.Name = "YourAppCookieName";
    options.Cookie.HttpOnly = true; 
    options.ExpireTimeSpan = TimeSpan.FromMinutes(60); 
    options.LoginPath = "/Account/Login";
    options.LogoutPath = "/Account/Logout";
    options.AccessDeniedPath = "/Account/AccessDenied"; 
    options.SlidingExpiration = true;
    // Requires `using Microsoft.AspNetCore.Authentication.Cookies;`
    options.ReturnUrlParameter = CookieAuthenticationDefaults.ReturnUrlParameter;

CookieAuthenticationOptions has the following properties:

Property Description Default
Cookie.Name The name of the cookie. .AspNetCore.Cookies.
Cookie.HttpOnly When true, the cookie is not accessible from client-side scripts. true
ExpireTimeSpan Controls how much time the authentication ticket stored in the cookie will remain valid from the point it is created. 14 days
LoginPath When a user is unauthorized, they will be redirected to this path to login. /Account/Login
LogoutPath When a user is logged out, they will be redirected to this path. /Account/Logout
AccessDeniedPath When a user fails an authorization check, they will be redirected to this path.
SlidingExpiration When true, a new cookie will be issued with a new expiration time when the current cookie is more than halfway through the expiration window. /Account/AccessDenied
ReturnUrlParameter Determines the name of the query string parameter which is appended by the middleware when a 401 Unauthorized status code is changed to a 302 redirect onto the login path. true
AuthenticationScheme This is only relevant for ASP.NET Core 1.x. The logical name for a particular authentication scheme.
AutomaticAuthenticate This flag is only relevant for ASP.NET Core 1.x. When true, cookie authentication should run on every request and attempt to validate and reconstruct any serialized principal it created.