I have an identity server 3 implementation with functionality for registering new users. These users are then sent an email for confirmation. However the users can log in without confirming the email. I've later understood that the confirm email is just that, and not a "user confirmation" as I initially thought.
So how do I implement a "require confirmed email" policy?
I believe I've to implement a custom login action that checks the confirmed email flag, or are there somewhere else that is better suited?
In your AuthenticateLocal implementation on your user service you check the DB to see if the email is confirmed, and if it's not you give the user an error message.
With IdentityServer3 all of the user management features are up to you to build (such as registration, email confirmation, change password, etc).