What I try to achieve in a .NET Core Web API is to prevent the default account lockout behavior. By default a locked out account will be unlocked after 5 minutes. In my system a locked account can only be unlocked by an Administrator.
In startup.cs the Identity service is configured as:
services.AddIdentity<ApplicationUser, IdentityRole>(config =>
{
config.Lockout = new LockoutOptions()
{
MaxFailedAccessAttempts = 3,
DefaultLockoutTimeSpan = new TimeSpan(Int32.MaxValue, 0, 0, 0)
};
});
So there is a property to set the DefaultLockoutTimeSpan and I tried making the TimeSpan as big as possible (it accepts an Int32) but it throws a TimeSpan overflowed because the duration is too long. exception.
I tried DefaultLockoutTimeSpan = new TimeSpan(-1) as well with no success.
Does anybody have a waterproof way of preventing auto unlocking of a locked-out account (after some time)? Or, less preferred, a way to make the TimeSpan as big as Possible?
Implement IUserLockoutStore.GetLockoutEndDateAsync and optionally IUserLockoutStore.SetLockoutEndDate on a custom store
All the lockout check does is see if the lockout is enabled and if so, checks if the end date has passed. If you instead return DateTimeOffset.MaxValue from GetLockoutEndDateAsync then they will always be locked out if the flag is set and regardless of whatever is set in LockoutOptions or in the database
Then you can override the Set method as a no-op and never store the end date at all.