Ricardo Brandão - 90 - Jun 4, 2014

I have noticed that when I am using social auth providers (e.g. Facebook, Twitter) provided by ServiceStack, locked users are able to login successfully.

I was expecting the same behaviour as in CredentialsAuthProvider that prevents locked users to login.

Have anyone encountered this behaviour?

Mark Chipman:

Authentication is NOT the same as authorization… Social auth only authenticates whom you are… not what you have access to. :slight_smile:

Ricardo Brandão:

Hello Mark,

So why does UserAuth contains a LockedDate? And why does CredentialsAuthProvider validates that the user is not locked?

I agree with you, but it seems odd to have different behaviours on the same scenario (i.e. authentication).

As a workaround I check if the user is locked on the OnAuthenticated. However, then I have to send the user to the logout service which seems a little bit odd.

Mark Chipman:

I think that it might be because when using social auth libraries you can only get so much (ie: claims from Twitter or Facebook for your user… all depending on what the user has authorized to be released back to you)… but with UserAuth you have much more in your control to the raw resources (ie: your data store) since authorization functionality is in your hands where you have access directly to those kinds of resources.

Anyone else got insight to this?


Ricardo Brandão:

But when I am using social auth I load the user’s UserAuth while authenticating (if the user already exists I fetch the UserAuth if not I create a new one) and therefore I can check if the user is locked or not. This occurs after I exchange the keys with the auth provider but when the user is not yet authenticated on my application.

Initially the LockedDate was to prevent multiple invalid attempts to a User/Auth account, which is not something we have to worry about with OAuth providers since they’re authenticated elsewhere.

But as it’s still a good feature to be able to prevent access from authorized users I’ve just  added support for locking user accounts in all auth providers with todays commits:

Which is now available on MyGet:

Note: Locking a users account will prevent authentication the next time a user authenticates (i.e. it doesn’t log out a currently logged in user).

Ricardo Brandão:

Hi Demis,

Thanks. This is indeed a nice feature.