User status is handled incorrect
pschuler78 opened this issue · 0 comments
pschuler78 commented
An user which is deactivated or in user state locked can still login. The identity framework does not consider the account status.
When the user is set to disabled by the FLS client, the lockout enabled flag must be enabled and the lockout end date must be set to maximum.
See also:
https://stackoverflow.com/questions/32951260/how-to-disable-a-user-in-identity-2-0
https://aspnetidentity.codeplex.com/discussions/530201