I would like to know whether it's possible to validate ASP.NET Identity user tokens on website 1, generated on website 2.
In my case, both websites actually use the same UserManager
, which is defined in an assembly that both sites use. Startup.Auth.cs
is identitical for the two sites. However, a token generated on the first site fails to validate on the other one.
Code used on first website to generate token:
string userId = User.Identity.GetUserId();
var manager = HttpContext.GetOwinContext().GetUserManager<ApplicationUserManager>();
string token = await manager.GenerateUserTokenAsync("SomePurpose", userId);
Then passed as query parameters to the other website:
var manager = HttpContext.GetOwinContext().GetUserManager<ApplicationUserManager>();
if (await manager.VerifyUserTokenAsync(userId, "SomePurpose", token))
{
// Do something
}
Validation always fails in this scenario. If I validate the token on the same site where it was generated, it passes.
Here's how the token provider is assigned in ApplicationUserManager
(options.DataProtectionProvider
is of type CallDataProtectionProvider
at runtime):
var dataProtectionProvider = options.DataProtectionProvider;
if (dataProtectionProvider != null)
{
manager.UserTokenProvider =
new DataProtectorTokenProvider<UserProfile>(dataProtectionProvider.Create("SomeName"));
}
Is this behavior intentional or am I doing something wrong?
OWIN (Open Web Interface for . NET) is a standard for an interface between . NET Web applications and Web servers. It is a community-owned open-source project. The OAuth authorization framework enables a third-party application to obtain limited access to a HTTP service.
It turns out token generation and verification use the machine key. To generate/verify, the websites need to have the same machineKey
configured.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With