Creating users with no password using ASP.NET Identity

asp.net asp.net-identity-2
Sam Parsons picture Sam Parsons · Nov 19, 2015 · Viewed 13.5k times · Source

I have been given the requirement to provide the ability to create users through the UI with no password. I am trying to accomplish this using ASP.NET Identity.

I am able to successfully create a user without a password using the UserManager's Create method:

if (vm.ShouldHavePassword)
{
    userManager.Create(userToInsert, vm.Password);
}
else
{
    userManager.Create(userToInsert);
}

After the call to the Create method, the test user gets successfully saved into our AspNetUsers table. And when I do not provide a password, the PasswordHash column in our AspNetUsers table is set to NULL.

My issue is, I cannot login as the test user that does not have a password. The following is the method call that we use to validate a user's credentials: 

result = await SignInManager.PasswordSignInAsync(model.UserName, model.Password, model.RememberMe, shouldLockout: false);

I attempted to login as a test user that has a NULL PasswordHash multiple times. To do this, I do not provide a password in our login form. As a result, a NULL password is passed into the PasswordSignInAsync method. The return value of this method call is always SignInStatus.Failure.

Using ASP.NET Identity, how can I configure my code to correctly authenticate user credentials when the credentials contain a NULL password, and the user in the database contains a NULL PasswordHash? Is such a thing even possible?

Answer

Alfredo R picture Alfredo R · Aug 12, 2016

Yes you can. ASP.NET Identity Framework is fully customizable. Just override PasswordValidator.ValidateAsync and PasswordHasher.VerifyHashedPassword methods like this:

internal class CustomPasswordValidator: PasswordValidator
{
    public override async Task<IdentityResult> ValidateAsync(string item)
    {
        if (string.IsNullOrEmpty(item)) return IdentityResult.Success;
        return await base.ValidateAsync(item);
    }
}

internal class CustomPasswordHasher : PasswordHasher
{
    public override PasswordVerificationResult VerifyHashedPassword(string hashedPassword, string providedPassword)
    {
        if (hashedPassword == null && string.IsNullOrEmpty(providedPassword))
            return PasswordVerificationResult.Success;
        return base.VerifyHashedPassword(hashedPassword, providedPassword);
    }
}

And set them like this:

    var manager = new ApplicationUserManager(new UserStore<ApplicationUser>(context.Get<ApplicationDbContext>()));

    manager.PasswordValidator = new CustomPasswordValidator();
    manager.PasswordHasher = new CustomPasswordHasher();

Related questions

Asp.NET Identity 2 giving "Invalid Token" error

I'm using Asp.Net-Identity-2 and I'm trying to verify email verification code using the below method. But I am getting an "Invalid Token" error message. My Application's User Manager is like this: public class AppUserManager : UserManager<AppUser> { public …

Read More
Get list of users with assigned roles in asp.net identity 2.0

I have a drop down list box which lists roles. I want to get the list of users having that role. I mean list of users that are in "Administrator" role or "CanEdit" role. Here is my code: public IQueryable&…

Read More
No IUserTokenProvider is registered

I recently updated Asp.Net Identity Core of my application form 1.0 to 2.0. There are new features which I wanted to try like GenerateEmailConfirmationToken, etc. I'm using this project as a reference. When the user tries to register, I get error …

Read More