All geek questions in one place

Where is the information about the authorization token stored on the ASP.NET WEB API server?

In a Web Api 2 Identity 2 application, after user registration, I have one record in one table: AspNetUsers. I use the following http request to get the token:

POST https://localhost:44304/Token HTTP/1.1 Accept: application/json Content-type: application/x-www-form-urlencoded Accept-Encoding: gzip Content-Length: 68 Host: localhost:44304 Connection: Keep-Alive User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4) grant_type=password& username=somemail@gmail.com &password=123456

and I get a response using access_token:

 HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Length: 695 Content-Type: application/json;charset=UTF-8 Expires: -1 Server: Microsoft-IIS/8.0 X-SourceFiles: =?UTF-8?B?QzpcVXNlcnNcU2VyZ2V5XERvY3VtZW50c1xWaXN1YWwgU3R1ZGlvIDIwMTNcUHJvamVjdHNcbXZjX3dlYmFwaVxXZWJBcHBsaWNhdGlvblxXZWJBcHBsaWNhdGlvblxUb2tlbg==?= X-Powered-By: ASP.NET Date: Tue, 25 Nov 2014 17:40:07 GMT {"access_token":"gsvW23e1...}

After I received the token, not a single record is added to the database. However, there is only one entry in the AspNetUsers table. Information about the issued token is not stored in any table in the database.

I use the following code in a web api controller to authenticate a user:

 var currentUser = manager.FindById(User.Identity.GetUserId()); if (currentUser == null) { HttpResponseMessage response = new HttpResponseMessage(HttpStatusCode.Unauthorized); return ResponseMessage(response); }

After that, I perform a password change and try to call some method of the web api controller using the old access_token (which I received before changing the password), and access_token is still valid! CurrentUser is not null! I read other threads in stackoverflow. ASP.Net authentication of all sessions. ASP.Net logout and blog post https://timmlotter.com/blog/asp-net-identity-invalidate-all-sessions-on-securitystamp-update/ but I I still don’t understand where the information about issued tokens is stored. So my questions are: 1) Where is the access_token information stored on the server? 2) Why, after changing the password, can I still use the access_token, which is issued by the server before changing the password? 3) How to cancel all access_token issued before password change?

+4
source share
1 answer

1) Tokens are not stored anywhere in the database or local storage. This means that tokens are not stored anywhere on the server.

2) In fact, reset tokens are generated using SecurityStamp and are checked using the user's SecurityStamp. Tokens do not expire unless you set an expiration date or update this user’s SecurityStamp.

The expiration time can be set in the userManager properties in your authentication configuration class. The following example shows the token's lifetime with 1 hour. Check out this article .

  if (dataProtectionProvider != null) { manager.UserTokenProvider = new DataProtectorTokenProvider<ApplicationUser> (dataProtectionProvider.Create("ASP.NET Identity")) { TokenLifespan = TimeSpan.FromHours(1) }; }

You can use your own mechanism to verify the token that was previously used.

3) Update SecurityStamp. This will invalidate all tokens issued for this user, including cookies. It would be better to use your own idea to expire the password reset.

As an example, you can use another column to store all the generated reset passwords in the database and validate it (maybe the best way to do this).

Keep in mind that login access_token is generated differently and it has an expiration time that you set when you run the Owin token to run.

Hope this helps.

+4
source

Source: https://habr.com/ru/post/1210547/

More articles:


All Articles