ASP.Net Identity Generate Token Weirdness (Tokens become invalid seemingly at a random interval)

Interactive Business Systems is now Planet Technology. Looking for a new job? We work with some of the biggest names in tech, and we’re hiring! Check out our open jobs and make your next career move with Planet.

We’re working on an ASP.Net project that uses Identity to handle user authorization and had an interesting issue when creating temporary email confirmation tokens.

The tokens are generated via the Use-Manager’s function “GenerateEmailConfirmationTokenAsync”. Then we add that token to a link which is emailed to the user.

Periodically, these tokens were coming back as being invalid and a search on the issue came up with some interesting reasons.

  • TokenLifeSpan not set in the ApplicationUserManager Create method. If this is not set, then the default token lifespan for *any* token is 24 hours:

public class ApplicationUserManager : UserManager<User>
        public ApplicationUserManager(IUserStore<User> store)
            : base(store)

        public static ApplicationUserManager Create(IdentityFactoryOptions<ApplicationUserManager> options, IOwinContext context)
            var manager = new ApplicationUserManager(new UserStore<User>(context.Get<RjwContext>()));
            // Configure validation logic for usernames
            manager.UserValidator = new UserValidator<User>(manager)
                AllowOnlyAlphanumericUserNames = false,
                RequireUniqueEmail = true
            manager.PasswordValidator = new PasswordValidator
                RequiredLength = 6,
            var dataProtectionProvider = options.DataProtectionProvider;
            if (dataProtectionProvider != null)
                manager.UserTokenProvider =
                    new DataProtectorTokenProvider<User>(dataProtectionProvider.Create("ASP.NET Identity"))
                        TokenLifespan = TimeSpan.FromDays(14)

            return manager;

  • By default, the Token Provider uses the machine key as part of encryption scheme. And by default, IIS will create a new encryption key for each site when it restarts. Here are steps for fix this:

In IIS settings for a specific site, there’s a button labeled “Machine Key” and if you double-click on this you’ll see the following screen:


Uncheck both checkboxes and click into each text-box and then click on “Generate Keys” on the right side. This will simply force the machine keys to be the same every time this site is used (or IIS gets restarted, etc).

As a side, when the user sets this configuration, IIS adds a machine key element in the site’s web.config file. To guarantee that the site always uses that machine key, we copied that section into web.config of the project in our Github repository.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s