ASP.Net Identity Generate Token Weirdness (Tokens become invalid seemingly at a random interval)

misc1We’re working on an ASP.Net project that uses Identity to handle user authorization and had an interesting issue when creating temporary email confirmation tokens.

The tokens are generated via the Use-Manager’s function “GenerateEmailConfirmationTokenAsync”. Then we add that token to a link which is emailed to the user.

Periodically, these tokens were coming back as being invalid and a search on the issue came up with some interesting reasons.

  • TokenLifeSpan not set in the ApplicationUserManager Create method. If this is not set, then the default token lifespan for *any* token is 24 hours:

public class ApplicationUserManager : UserManager<User>
    {
        public ApplicationUserManager(IUserStore<User> store)
            : base(store)
        {
        }

        public static ApplicationUserManager Create(IdentityFactoryOptions<ApplicationUserManager> options, IOwinContext context)
        {
            var manager = new ApplicationUserManager(new UserStore<User>(context.Get<RjwContext>()));
            // Configure validation logic for usernames
            manager.UserValidator = new UserValidator<User>(manager)
            {
                AllowOnlyAlphanumericUserNames = false,
                RequireUniqueEmail = true
            };
            manager.PasswordValidator = new PasswordValidator
            {
                RequiredLength = 6,
            };
            var dataProtectionProvider = options.DataProtectionProvider;
            if (dataProtectionProvider != null)
            {
                manager.UserTokenProvider =
                    new DataProtectorTokenProvider<User>(dataProtectionProvider.Create("ASP.NET Identity"))
                    {
                        TokenLifespan = TimeSpan.FromDays(14)
                    };

            }
            return manager;
        }
    }

  • By default, the Token Provider uses the machine key as part of encryption scheme. And by default, IIS will create a new encryption key for each site when it restarts. Here are steps for fix this:

In IIS settings for a specific site, there’s a button labeled “Machine Key” and if you double-click on this you’ll see the following screen:

iis-machine-key

Uncheck both checkboxes and click into each text-box and then click on “Generate Keys” on the right side. This will simply force the machine keys to be the same every time this site is used (or IIS gets restarted, etc).

As a side, when the user sets this configuration, IIS adds a machine key element in the site’s web.config file. To guarantee that the site always uses that machine key, we copied that section into web.config of the project in our Github repository.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s