Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

AddDefaultTokenProviders: what is it and how to use those "default providers"?

I found this in my Startup.cs file in ConfigureServices in a default Visual Studio 2015 ASP.NET 5 project:

services.AddIdentity<ApplicationUser, IdentityRole>()                 .AddEntityFrameworkStores<AuthorizationDbContext>()                 .AddDefaultTokenProviders(); 

What does it exactly do, and how to use those "default providers"? Does it configure all token-based authentication for me? Where can I read more about it?

like image 768
Piotrek Avatar asked Feb 16 '16 13:02

Piotrek


People also ask

What is a SecurityStamp in ASP net Identity and what is it used for?

The security stamp is a Guid stored in the database against the user. It gets updated when certain actions take place within the Identity UserManager class and provides a way to invalidate old tokens when an account has changed.

What is token provider?

A token provider in Windows Communication Foundation (WCF) is used for supplying credentials to the security infrastructure. The token provider in general examines the target and issues appropriate credentials so that the security infrastructure can secure the message.

What is security stamp C#?

This is a signed token which is not stored on the server. The security timestamp is used for tracking changes made to the user profile. It is used for security purposes when important properties of a user change, such as changing the password.


1 Answers

Despite their name, the token providers have nothing to do with token authentication: they are exclusively used to generate opaque tokens for account operations (like password reset or email change) and two-factor authentication.

There are currently 3 built-in providers:

  • DataProtectorTokenProvider: as the name suggests, it uses the data protection block (machine keys' equivalent in ASP.NET Core 1.0) to serialize encrypted tokens that can later be deserialized by the server.

  • EmailTokenProvider and PhoneNumberTokenProvider: these providers are derived from TotpSecurityStampBasedTokenProvider, which implements the Time-based One-time Password Algorithm (TOTP), a protocol designed to produce user-friendly and short tokens that can be sent in a SMS or in an email.

ASP.NET Core 1.0 doesn't offer native token authentication support (only token validation is supported: you can't produce your own tokens). You can read these SO posts for more information:

  • Simple JWT authentication in ASP.NET Core 1.0 Web API.
  • Web API Authentication in ASP.NET 5.
  • Configure the authorization server endpoint.
like image 115
Kévin Chalet Avatar answered Sep 18 '22 17:09

Kévin Chalet