ASP.NET Core Identity uses default values for settings such as password policy, lockout, and cookie configuration. These settings can be overridden in the Startup class.

By default the Password Policy has the following options:

  • `RequireDigit`: (default: true) Requires a number between 0-9 in the password.
  • `RequiredLength`: (default: 6) The minimum length of the password.
  • `RequireLowercase`: (default: true) Requires a lowercase character in the password.
  • `RequireNonAlphanumeric`: (default: true) Requires a non-alphanumeric character in the password.
  • `RequiredUniqueChars`: (default: 1) Only applies to ASP.NET Core 2.0 or later. Requires the number of distinct characters in the password.
  • `RequireUppercase`: (default: true) Requires an uppercase character in the password.

For more info you can visit this link and see all available options for the ASP.NET Core Identity configuration.

Although the default constraints are picked with security in mind, forcing users to use strong passwords, there are times when you need to override those settings and configure passwords based on your needs.

To do so, you can create an extension method where you will be able to customize the password policy based on your needs, and then simply apply those changes to your Startup configuration file:

using Microsoft.AspNetCore.Identity;
using Microsoft.Extensions.DependencyInjection;

namespace MyApp.Api.Infrastructure.Extensions.Auth
{
    public static class AuthPasswordPolicyExtensions
    {
        public static IServiceCollection AddCustomPasswordPolicy(this IServiceCollection services)
        {
            services.Configure<IdentityOptions>(o =>
            {
                o.Password.RequireDigit = false;
                o.Password.RequireLowercase = false;
                o.Password.RequireUppercase = true;
                o.Password.RequireNonAlphanumeric = true;
                o.Password.RequiredLength = 8;
            });

            return services;
        }
    }
}

Note: The reason why you choose to return a services object is to be able to chain multiple configurations and make your code more readable.

Now, as you have extended the functionality of the IServiceCollection object, you are able to apply your custom password policy by simply calling `AddCustomPasswordPolicy()` inside ConfigureServices methods in your Startup.cs file.

Here is a sample Startup.cs file with some additional service configuration using method chaining:

public class Startup
{
    public Startup(IConfiguration configuration)
    {
        Configuration = configuration;
    }

    public IConfiguration Configuration { get; }


    // This method gets called by the runtime. Use this method to add services to the container.
    public IServiceProvider ConfigureServices(IServiceCollection services)
    {
        services.SetupConfiguration(Configuration)
            .AddCustomPasswordPolicy();

        // additional configuration
        services.AddDatabase(Configuration)
            .AddVersioning()
            .AddAutoMapper()
            .AddSwaggerDocumentation();

        services.AddMvc(opts => opts.AddCoreFilters())
            .AddCustomJsonOptions()
            .SetCompatibilityVersion(CompatibilityVersion.Version_2_1);

        return services.AddAutofacService(Container);
    }
    
    // ...
}

Categorized in: