Change username's default allowed characters to confirm better to email spec

[janpieterz]

Since the default configuration in the samples, and presumably in quite a lot of systems will be that the username is the email address, it threw me off a little bit when discovering that the + sign is not an allowed character in a username.

I was thinking that it would be helpful to offer the email's allowed list (see this answer of someone diving into the allowed characters).

If this is not feasible (I can imagine that a username should be something remotely readable, although one could argue that an email should be as well), would it be possible to offer both versions of these strings as a const string in the user options class, so that this behavior is not repeatedly implemented by every application? In either case, the current implementation suggests it allows email addresses (the @ and .) but it doesn't actually fully implement this.

The string I use in my application (as far as I know I'm only missing the 'quoted' character requirement):

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!#$%&'*+-/=?^_`{|}~.@

[HaoK]

@blowdart the delta appears to be the following characters, how many of these do you want to enable by default, some of these look pretty wonky to be valid user name characters by default...

!#$%&'*+/=?^`{|}~

[blowdart]

Oh that is bad isn't it. Lots of invalid characters for emails. This is strange. Either we update the samples so it's not emails, or we pare it down a bit.

[MaximRouiller]

I can imagine that a username should be something remotely readable, although one could argue that an email should be as well

@janpieterz Well... the original RFC compliant regex doesn't argue. That is if you want to validate as per the RFC.

There is many characters that are available in an email (()[]+-<> among others).

Good read if you want to go further.

One thing for sure... refusing a valid email is plainly frustrating to most users.

[MaximRouiller]

I do use the + sign in my Gmail address. Allows me to tag emails I use to register to some services.

[blowdart]

We won't be using regular expressions for validation. We made a conscious decision to remove that approach.

[guardrex]

For reference, AllowedUserNameCharacters is here ...

Identity/src/Microsoft.AspNetCore.Identity/UserOptions.cs

Line 17 in c8a276e

public string AllowedUserNameCharacters { get; set; } = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._@";

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._@

Is there any reason why that can't be overridden no matter what the team settles on here?

[janpieterz]

@guardrex It can (quite easily even) be overridden. Below does the trick. The issue (more an issue with the template and a suggestion for improvement for Identity) isn't the override, but more the fact that the default templates use an email as a username (and I think this is a very common usage pattern) and this fails when certain characters are used, for example the + (I found this out as well when testing with a + sign). The options then are to either always allow all email chars
or have two statics strings (one with email, one with 'normal') and/or change the templates.

 services.AddIdentity<ApplicationUser, IdentityRole>(options =>
    {
        //Below UserOptions is my own class
        options.User.AllowedUserNameCharacters = UserOptions.EmailAllowedCharacters;
    })

[HaoK]

How about we just add + since that is fairly common, users can always add whatever additional characters they really want?

[MaximRouiller]

@HaoK that would fix 90+% of all scenarios I think.

[janpieterz]

Works for me!