Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

ASP.NET Core Invalid Password Reset Tokens

I have two servers that are using the same ASP.NET Core Identity backend. I generate the password reset token with the following:

var token = await _userManager.GeneratePasswordResetTokenAsync(applicationUser);

I send this token via an email link. When the user clicks the link, they are taken to a separate site which should provide a UI to change the password. The following code handles the user's password submission of both the token and their new password:

var identityResult = await _userManager.ResetPasswordAsync(applicationUser, code, password);

On the second server, the identity result always returns false because "invalid token".

Looking through the source, I see that the token is generated using the IP address (so I understand why the token validation failed).

My question is how do I enable successful token creation/validation across different machines? In previous forms of ASP.NET, I would likely use a shared machine key to prevent these scenarios. ASP.NET Core doesn't seem to have a similar concept. From what I've read, it seems that this might be a scenario to use the DataProtection API. Unfortunately, I haven't seen any examples as how to apply this to generating the reset token.

like image 264
Eric Avatar asked Apr 05 '17 21:04

Eric


People also ask

What does it mean when it says Reset Password token is invalid?

If you're trying to reset your password and you receive an error citing an “invalid token” or asking you for your token, it's likely that the link you clicked on to reset your password has expired. For security reasons, passwords are never sent out across the Internet.

How do I fix an invalid token?

There are two ways to fix the error: (RECOMMENDED) Change the application signature algorithm to RS256 instead of HS256. Change the value of your responseType parameter to token id_token (instead of the default), so that you receive an access token in the response.


2 Answers

Have you tried setting the application name to the same value in both applications?

services.AddDataProtection().SetApplicationName("same for both apps");

https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview

P.S - I'm struggling with exactly the same problem.

like image 181
Stefan Buys Avatar answered Sep 21 '22 03:09

Stefan Buys


you should encode your token before you send it. You should do something like this:

var token = await _userManager.GeneratePasswordResetTokenAsync(applicationUser);
var encodedCode = HttpUtility.UrlEncode(token);

After encoding it, you must pass the encoded token rather than the generated token.

like image 41
Spharah Avatar answered Sep 19 '22 03:09

Spharah