Invalid ASP.NET Core Reset Tokens Password

Question

Invalid ASP.NET Core Reset Tokens Password

I have two servers that use the same core component of ASP.NET Core Identity. I generate a reset token with password:

var token = await _userManager.GeneratePasswordResetTokenAsync(applicationUser);

I am sending this token by email. When the user clicks on the link, they go to a separate site, which must provide a user interface for changing the password. The following code processes user passwords for both the token and the new password:

var identityResult = await _userManager.ResetPasswordAsync(applicationUser, code, password);

On the second server, the authentication result always returns false because the "invalid token".

Looking through the source code, I see that the token is generated using the IP address (so I understand why the token check failed).

My question is: how to enable successful marker creation / verification on different machines? In previous ASP.NET forms, I would most likely use a common machine key to prevent these scenarios. The ASP.NET core is not like a similar concept. From what I read, it seems like it could be a script to use the DataProtection API. Unfortunately, I have not seen examples of how to apply this to create a reset token.

+4

c # asp.net-core asp.net-core-identity

Eric Apr 05 '17 at 21:45

source share

3 answers

Spharah · Answer 1 · 2017-04-11T07:04:48+0000

You must encode your token before sending. You should do something like this:

var token = await _userManager.GeneratePasswordResetTokenAsync(applicationUser);
var encodedCode = HttpUtility.UrlEncode(token);

After encoding it, you should pass the encoded token, not the generated token.

Stefan Buys · Answer 2 · 2017-05-24T20:35:48+0000

?

services.AddDataProtection().SetApplicationName("same for both apps");

https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview

P.S - .

orhun.begendi · Answer 3 · 2017-04-05T22:18:38+0000

. . . usermanager, . - , . ConfirmEmail , , .

usermanager dataprovider , .

 public ApplicationUserManager(IUserStore<ApplicationUser> store)
            : base(store)
        {
            var dataProtectorProvider = Startup.DataProtectionProvider;
            var dataProtector = dataProtectorProvider.Create("My Identity");
            this.UserTokenProvider = new DataProtectorTokenProvider<ApplicationUser, string>(dataProtector);
            //this.UserTokenProvider.TokenLifespan = TimeSpan.FromHours(24);
        }

. .

    string code = await UserManager.GenerateEmailConfirmationTokenAsync(user.Id);
    var callbackUrl = Url.Action("ConfirmEmail", "Account", new { userId = user.Id, code = code }, protocol: Request.Url.Scheme);
    UserManager.EmailService = new EmailService();
    await UserManager.SendEmailAsync(user.Id, "Confirm your account", "Please confirm your account by clicking <a href=\"" + callbackUrl + "\">here</a>");

When you see a token in your database, check your email. then click the callback url and correct the url encoding.

To use dataProtectorProvider;

public partial class Startup
    {
      public static IDataProtectionProvider DataProtectionProvider { get; set; }

        public void ConfigureAuth(IAppBuilder app)
        {
           DataProtectionProvider = app.GetDataProtectionProvider();
        }
}

Invalid ASP.NET Core Reset Tokens Password

More articles: