Why "SignIn.RequireConfirmedEmail = true" doesn't prevent the not confirmed Email from SignIn?

Question

I have configured MY Identity like this:

services.AddIdentity<AppUser, IdentityRole>(
               opts =>
               {
                   opts.SignIn.RequireConfirmedEmail = true;
                   opts.Password.RequireDigit = true;
                   opts.Password.RequireLowercase = true;
                   opts.Password.RequireUppercase = true;
                   opts.Password.RequireNonAlphanumeric = false;
                   opts.Password.RequiredLength = 7;
               })
           .AddEntityFrameworkStores<MyDbContext>().AddDefaultTokenProviders();

I expect the users that their Email are not still confirmed be unable to Login to the system since I have already told SignIn.RequireConfirmedEmail = true;. But when I run the application I can Log with both two kind of users, the both that their Email are confirmed and the ones that their Email is not confirmed. So why SignIn.RequireConfirmedEmail = true; is not working in this case, is there any other config that I need to do?

EDIT: I just realized that I didn't check for Email confirmation in my Login method, something like this:

if (!await _userManager.IsEmailConfirmedAsync(user))

So the main question, is the above line necessary even if I have already told SignIn.RequireConfirmedEmail = true;? I mean isn't the SignIn.RequireConfirmedEmail = true; enough? If it is not enough, what's it's usage at all?

Answer 1

Simply using opts.SignIn.RequireConfirmedEmail = true; is not enough. You need to add the check at login as well to see if the user can sign in using SignInManager, e.g.

var user = await _userManager.FindByEmailAsync(login.Email);    
var canSignIn = await _signInManager.CanSignInAsync(user);