Orchardcore: The user has been disabled, but can still authenticated by OpenId.

@kevinchalet any idea?

I found that OpenId uses IUserService.AuthenticateAsync to determine whether the user is effectively authorized, so I customized a UserService and rewritten AuthenticateAsync to solve my issue.

see also:

https://github.com/OrchardCMS/OrchardCore/issues/6622

public class CustomUserService : UserService, IUserService
{
    public CustomUserService(SignInManager<IUser> signInManager, UserManager<IUser> userManager,
        IOptions<IdentityOptions> identityOptions, IStringLocalizer<UserService> stringLocalizer) : base(
        signInManager, userManager, identityOptions, stringLocalizer)
    {
    }


    Task<IUser> IUserService.AuthenticateAsync(string userName, string password, Action<string, string> reportError)
    {
        return this.AuthenticateAsync(userName, password, reportError);
    }

    public new async Task<IUser> AuthenticateAsync(string userName, string password,
        Action<string, string> reportError)
    {
        var user = (User) await base.AuthenticateAsync(userName, password, reportError);
        if (user == null) return user;
        if (!user.IsEnabled)
        {
        // S["Your account is disabled. Please contact an administrator."]  IStringLocalizer<AccountController> stringLocalizer,
            reportError("UserName","账户已停用"); 
            return null;
        }
        else
        {
            return user;
        }
    }
}

@RockNHawk could please open a PR to solve the bug?

Nice catch @RockNHawk. As @hishamco said, it would be great if you could send a PR! 👏

I have opened a PR :-) @hishamco @kevinchalet

I already did that 2 days ago, after I didn't get respond from you

Thanks

@RockNHawk I reopen this for tracking, it will be closed when the PR is merged

Thanks again