Disable user registrations in ASP.NET Core 3 identity

Posted on 7th March 2020

When you build a new ASP.NET Core 3 website with Authentication in Visual Studio, you might discover that registrations are enabled by default.

If you're building a SAAS web application, this is likely what you want. Who wouldn't want new users to register with your service!

Unfortunately this is a security issue for restricted applications that are only intended to be used by people within your company.

The Solution

Luckily for us, disabling new registrations is fairly simple and should only take a few minutes to configure within the codebase.

Scaffolding

You first need to scaffold three identity pages if you haven't done so already. These three pages are Account.Register, Account.Login, and Account.RegisterConfirmation.

This can be achieved with the following console command.

dotnet aspnet-codegenerator identity -dc RPauth.Data.ApplicationDbContext --files "Account.Register;Account.Login;Account.RegisterConfirmation"

Alternatively, you can use the GUI. Simply right click on your solution in Visual Studio, then click Add > New Scaffolded Item > Add Identity > tick the options for Account.Register, Account.Login, and Account.RegisterConfirmation and select your data context from the dropdown. Then click add.

Scaffold identity from Visual Studio

Editing Scaffolded Pages

You now need to expand Areas/Identity/Pages/Account in the solution explorer and edit Register.cshtml.cs to match the following code snippet. This will redirect users to the login page if they land on the Registration page.

public class RegisterModel : PageModel
{
    public IActionResult OnGet()
    {
        return RedirectToPage("Login");
    }

    public IActionResult OnPost()
    {
        return RedirectToPage("Login");
    }
}

Next up, edit Areas/Identity/Pages/Account/Register.cshtml to look like the following.

@page
@model RegisterModel
@{
    ViewData["Title"] = "Go to Login";
}

<h1>@ViewData["Title"]</h1>

<li class="nav-item">
    <a class="nav-link text-dark" asp-area="Identity" asp-page="/Account/Login">Login</a>
</li>

Now remove the registration link from Areas/Identity/Pages/Account/Login.cshtml

@*
<p>
    <a asp-page="./Register" asp-route-returnUrl="@Model.ReturnUrl">Register as a new user</a>
</p>
*@

You can now edit Areas/Identity/Pages/Account/RegisterConfirmation.cs to remove the code relating to registration.

[AllowAnonymous]
  public class RegisterConfirmationModel : PageModel
  {
      public IActionResult OnGet()
      {  
          return Page();
      }
  }

And that's it. At this point you'll normally need to start looking for alternative methods for creating new users. But registrations from the website are now disabled and your internal-only app is now a little bit more secure.


Article Categories: # c# # .net # identity

About

A tech blog by Andy P. I talk about coding, enterprise software development, tech, games design & other things that interest me.

Signup To The Newsletter

I try to post a new interesting article every saturday.