Configure Identity

ASP.NET Core Identity has some default behaviors that you can override easily in your application's Startup class.

Passwords policy

By default, Identity requires that passwords contain an uppercase character, lowercase character, a digit, and an alphanumeric character. There are also some other restrictions. If you want to simplify password restrictions, you can do that in the Startup class of your application.

ASP.NET Core 2.0 added the RequiredUniqueChars property. Otherwise, the options are the same from ASP.NET Core 1.x.

services.AddIdentity<ApplicationUser, IdentityRole>(options =>
        // Password settings
        options.Password.RequireDigit = true;
        options.Password.RequiredLength = 8; 
        options.Password.RequireNonAlphanumeric = true;
        options.Password.RequireUppercase = true;
        options.Password.RequireLowercase = true;
        options.Password.RequiredUniqueChars = 2;

IdentityOptions.Password has the following properties:

  • RequireDigit: Requires a number between 0-9 in the password. Defaults to true.
  • RequiredLength: The minimum length of the password. Defaults to 6.
  • RequireNonAlphanumeric: Requires a non-alphanumeric character in the password. Defaults to true.
  • RequireUppercase: Requires an upper case character in the password. Defaults to true.
  • RequireLowercase: Requires a lower case character in the password. Defaults to true.
  • RequiredUniqueChars: Requires the number of distinct characters in the password. Defaults to 1.

User's lockout

services.AddIdentity<ApplicationUser, IdentityRole>(options =>
        // Lockout settings
        options.Lockout.DefaultLockoutTimeSpan = TimeSpan.FromMinutes(5);
        options.Lockout.MaxFailedAccessAttempts = 5; 
        options.Lockout.AllowedForNewUsers = true;

IdentityOptions.Lockout has the following properties:

  • DefaultLockoutTimeSpan: The amount of time a user is locked out when a lockout occurs. Defaults to 5 minutes.
  • MaxFailedAccessAttempts: The number of failed access attempts until a user is locked out, if lockout is enabled. Defaults to 5.
  • AllowedForNewUsers: Determines if a new user can be locked out. Defaults to true.

Sign in settings

services.AddIdentity<ApplicationUser, IdentityRole>(options =>
        // Signin settings
        options.SignIn.RequireConfirmedEmail = true;
        options.SignIn.RequireConfirmedPhoneNumber = false;

IdentityOptions.SignIn has the following properties:

  • RequireConfirmedEmail: Requires a confirmed email to sign in. Defaults to false.
  • RequireConfirmedPhoneNumber: Requires a confirmed phone number to sign in. Defaults to false.

User validation settings

services.AddIdentity<ApplicationUser, IdentityRole>(options =>
        // User settings
        options.User.RequireUniqueEmail = true;

IdentityOptions.User has the following properties:

  • RequireUniqueEmail: Requires each User to have a unique email. Defaults to false.
  • AllowedUserNameCharacters: Allowed characters in the username. Defaults to abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._@+.

Like the passwords policy, all the settings of the application's cookie can be changed in the Startup class.

Under ConfigureServices in the Startup class, you can configure the application's cookie.

services.ConfigureApplicationCookie(options =>
    options.Cookie.Name = "YourAppCookieName";
    options.Cookie.HttpOnly = true; 
    options.ExpireTimeSpan = TimeSpan.FromMinutes(60); 
    options.LoginPath = "/Account/Login";
    options.LogoutPath = "/Account/Logout";
    options.AccessDeniedPath = "/Account/AccessDenied"; 
    options.SlidingExpiration = true;

CookieAuthenticationOptions has the following properties:

  • Cookie.Name: The name of the cookie. Defaults to .AspNetCore.Cookies.
  • Cookie.HttpOnly: When true, the cookie is not accessible from client-side scripts. Defaults to true.
  • ExpireTimeSpan: Controls how much time the authentication ticket stored in the cookie will remain valid from the point it is created. Defaults to 14 days.
  • LoginPath: When a user is unauthorized, they will be redirected to this path to login. Defaults to /Account/Login.
  • LogoutPath: When a user is logged out, they will be redirected to this path. Defaults to /Account/Logout.
  • AccessDeniedPath: When a user fails an authorization check, they will be redirected to this path. Defaults to /Account/AccessDenied.
  • SlidingExpiration: When true, a new cookie will be issued with a new expiration time when the current cookie is more than halfway through the expiration window. Defaults to true.
  • ReturnUrlParameter: The ReturnUrlParameter determines the name of the query string parameter which is appended by the middleware when a 401 Unauthorized status code is changed to a 302 redirect onto the login path.
  • AuthenticationScheme: This is only relevant for ASP.NET Core 1.x. The logical name for a particular authentication scheme.
  • AutomaticAuthenticate: This flag is only relevant for ASP.NET Core 1.x. When true, cookie authentication should run on every request and attempt to validate and reconstruct any serialized principal it created.