I have a Webapi service that generates a Reset password token.
Token Processing Service Endpoint:
[Authorize(Users = "abcd")] [HttpGet] [ActionName("GenerateForgotPasswordToken")] public async Task<IHttpActionResult> GenerateForgotPasswordToken(string key) { if (key == null || UserManager.FindById(key) == null) { return InternalServerError(new Exception("User not found")); } return Ok(await UserManager.GeneratePasswordResetTokenAsync(key)); }
My UserManager application:
public static ApplicationUserManager Create(IdentityFactoryOptions<ApplicationUserManager> options, IOwinContext context) { //var manager = new ApplicationUserManager(new UserStore<ApplicationUser>(context.Get<ApplicationDbContext>())); var manager = new ApplicationUserManager(new UserStore<IdentityUser>(new MTA())); // Configure validation logic for usernames manager.UserValidator = new UserValidator<IdentityUser>(manager) { AllowOnlyAlphanumericUserNames = false, RequireUniqueEmail = true }; // Configure validation logic for passwords manager.PasswordValidator = new PasswordValidator { RequiredLength = 6, RequireNonLetterOrDigit = true, RequireDigit = true, RequireLowercase = true, RequireUppercase = true, }; var dataProtectionProvider = options.DataProtectionProvider; if (dataProtectionProvider != null) { manager.UserTokenProvider = new DataProtectorTokenProvider<IdentityUser>(dataProtectionProvider.Create("ASP.NET Identity")); } return manager; }
The token will be used in the email to send a Reset password to the user. This URL points to the ASP.NET MVC view, which is part of my WebAPI project and is obviously hosted in the same web application in IIS. The Reset button on the page calls my other service endpoint, which resets the password.
Passowrd Reset Endpoint Service:
[HttpGet] [AllowAnonymous] public async Task<HttpResponseMessage> ResetPassword([FromUri]string email,[FromUri]string code,[FromUri]string password) { var user = await UserManager.FindByEmailAsync(email); var result = await UserManager.ResetPasswordAsync(user.Id, code, password); if (result.Succeeded) { return Request.CreateResponse(); } return Request.CreateResponse(System.Net.HttpStatusCode.Ambiguous); }
You can also mention that both of these web-api endpoints are in the same controller, and in the controller I defined the global UserManger as follows:
private ApplicationUserManager _userManager; public ApplicationUserManager UserManager { get { return _userManager ?? Request.GetOwinContext().GetUserManager<ApplicationUserManager>(); } private set { _userManager = value; } }
When I use an external tool such as the Advanced REST Client, I can hit the first endpoint to generate a token, and then transfer the token to the second endpoint along with the email address and new password and successfully reset the password. However, when my ASP.NET MVC controller uses the same token generated by the first endpoint and calling the passwordReset endpoint, the token is invalid! I have already made sure that there is no encoding / decoding problem, and the token received by the second endpoint is identical in both tests.
Once again, all my WebApi and ASP controllers are in the same project and hosted in the same web application. I think the problem may be due to the presence of a new Token provider when a request is sent based on OwinContext, but I do not understand why it works by calling it through a web browser.
public static ApplicationUserManager Create(IdentityFactoryOptions<ApplicationUserManager> options, IOwinContext context)