ASP.NET Core Invalid Password Reset Tokens

Question

I have two servers that are using the same ASP.NET Core Identity backend. I generate the password reset token with the following:

var token = await _userManager.GeneratePasswordResetTokenAsync(applicationUser);

I send this token via an email link. When the user clicks the link, they are taken to a separate site which should provide a UI to change the password. The following code handles the user's password submission of both the token and their new password:

var identityResult = await _userManager.ResetPasswordAsync(applicationUser, code, password);

On the second server, the identity result always returns false because "invalid token".

Looking through the source, I see that the token is generated using the IP address (so I understand why the token validation failed).

My question is how do I enable successful token creation/validation across different machines? In previous forms of ASP.NET, I would likely use a shared machine key to prevent these scenarios. ASP.NET Core doesn't seem to have a similar concept. From what I've read, it seems that this might be a scenario to use the DataProtection API. Unfortunately, I haven't seen any examples as how to apply this to generating the reset token.

Answer 1

Have you tried setting the application name to the same value in both applications?

services.AddDataProtection().SetApplicationName("same for both apps");

https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview

P.S - I'm struggling with exactly the same problem.

Answer 2

you should encode your token before you send it. You should do something like this:

var token = await _userManager.GeneratePasswordResetTokenAsync(applicationUser);
var encodedCode = HttpUtility.UrlEncode(token);

After encoding it, you must pass the encoded token rather than the generated token.