What does RequireConfirmedAccount == true mean? What is its impact?
Core is open source. I feel reading the code is the easiest way to figure out what's going on.
namespace Microsoft.AspNetCore.Identity;
/// <summary>
/// Options for configuring sign in.
/// </summary>
public class SignInOptions
{
/// <summary>
/// Gets or sets a flag indicating whether a confirmed email address is required to sign in. Defaults to false.
/// </summary>
/// <value>True if a user must have a confirmed email address before they can sign in, otherwise false.</value>
public bool RequireConfirmedEmail { get; set; }
/// <summary>
/// Gets or sets a flag indicating whether a confirmed telephone number is required to sign in. Defaults to false.
/// </summary>
/// <value>True if a user must have a confirmed telephone number before they can sign in, otherwise false.</value>
public bool RequireConfirmedPhoneNumber { get; set; }
/// <summary>
/// Gets or sets a flag indicating whether a confirmed <see cref="IUserConfirmation{TUser}"/> account is required to sign in. Defaults to false.
/// </summary>
/// <value>True if a user must have a confirmed account before they can sign in, otherwise false.</value>
public bool RequireConfirmedAccount { get; set; }
}
https://github.com/dotnet/aspnetcore/blob/main/src/Identity/Extensions.Core/src/SignInOptions.cs If you take a look at the Identity AspNetUsers table you'll see columns that correspond to the SignInOptions.
Does the Identity code do anything if RequireConfirmedPhoneNumber == true? If so, what? If not, what do I need to do to help the user confirm their phone?
The user cannot login if the phone number is not confirmed. Phone number confirmation can be accomplished over SMS. You need to a 3rd party SMS service to confirm the phone number.
Two-factor authentication with SMS in ASP.NET Core