Is there an existing issue for this?
Describe the bug
Description
On ASP.NET Core Identity, using Passkeys. SignInManager<TUser>.PasskeySignInAsync() does not check SignInOptions.RequireConfirmedEmail before allowing sign-in, unlike PasswordSignInAsync() which correctly returns SignInResult.NotAllowed when the user's email is not confirmed.
Actual Behavior
PasskeySignInAsync() returns SignInResult.Success and signs in the user, bypassing the email confirmation requirement.
Additional Context
This inconsistency can be a security concern as it allows users to bypass email verification when using passkeys, which may be problematic for account recovery scenarios where a verified email is essential.
Expected Behavior
PasskeySignInAsync() should return SignInResult.NotAllowed when the user's email is not confirmed and RequireConfirmedEmail is enabled (consistent with PasswordSignInAsync() behavior).
Steps To Reproduce
- Configure ASP.NET Core Identity with
RequireConfirmedEmail = true:
builder.Services.AddDefaultIdentity<ApplicationUser>(options => { options.SignIn.RequireConfirmedEmail = true; })
- Register a new user with a passkey (without confirming email)
- Attempt to sign in using
PasskeySignInAsync()
Exceptions (if any)
No response
.NET Version
10.0.101
Anything else?
Tested in ASP.NET Core Web App (Model-View-Controller) project, based on blazor Identity templates for passkeys, but adapted by using passkeys as a 1st class authentication method.
Workaround
Manual check after successful passkey sign-in:
if (result.Succeeded) { var user = await _userManager.GetUserAsync(User); if (user != null && _userManager.Options.SignIn.RequireConfirmedEmail && !await _userManager.IsEmailConfirmedAsync(user)) { await _signInManager.SignOutAsync(); // Return error to user } }
Is there an existing issue for this?
Describe the bug
Description
On ASP.NET Core Identity, using Passkeys.
SignInManager<TUser>.PasskeySignInAsync()does not checkSignInOptions.RequireConfirmedEmailbefore allowing sign-in, unlikePasswordSignInAsync()which correctly returnsSignInResult.NotAllowedwhen the user's email is not confirmed.Actual Behavior
PasskeySignInAsync()returnsSignInResult.Successand signs in the user, bypassing the email confirmation requirement.Additional Context
This inconsistency can be a security concern as it allows users to bypass email verification when using passkeys, which may be problematic for account recovery scenarios where a verified email is essential.
Expected Behavior
PasskeySignInAsync()should returnSignInResult.NotAllowedwhen the user's email is not confirmed andRequireConfirmedEmailis enabled (consistent withPasswordSignInAsync()behavior).Steps To Reproduce
RequireConfirmedEmail = true:builder.Services.AddDefaultIdentity<ApplicationUser>(options => { options.SignIn.RequireConfirmedEmail = true; })PasskeySignInAsync()Exceptions (if any)
No response
.NET Version
10.0.101
Anything else?
Tested in ASP.NET Core Web App (Model-View-Controller) project, based on blazor Identity templates for passkeys, but adapted by using passkeys as a 1st class authentication method.
Workaround
Manual check after successful passkey sign-in:
if (result.Succeeded) { var user = await _userManager.GetUserAsync(User); if (user != null && _userManager.Options.SignIn.RequireConfirmedEmail && !await _userManager.IsEmailConfirmedAsync(user)) { await _signInManager.SignOutAsync(); // Return error to user } }