Menu
I would like to know whether it's possible to validate ASP.NET Identity user tokens on website 1, generated on website 2.
In my case, both websites actually use the same UserManager, which is defined in an assembly that both sites use. Startup.Auth.cs is identitical for the two sites. However, a token generated on the first site fails to validate on the other one.
Code used on first website to generate token:
string userId = User.Identity.GetUserId();
var manager = HttpContext.GetOwinContext().GetUserManager<ApplicationUserManager>();
string token = await manager.GenerateUserTokenAsync("SomePurpose", userId);
Then passed as query parameters to the other website:
var manager = HttpContext.GetOwinContext().GetUserManager<ApplicationUserManager>();
if (await manager.VerifyUserTokenAsync(userId, "SomePurpose", token))
{
// Do something
}
Validation always fails in this scenario. If I validate the token on the same site where it was generated, it passes.
Here's how the token provider is assigned in ApplicationUserManager (options.DataProtectionProvider is of type CallDataProtectionProvider at runtime):
var dataProtectionProvider = options.DataProtectionProvider;
if (dataProtectionProvider != null)
{
manager.UserTokenProvider =
new DataProtectorTokenProvider<UserProfile>(dataProtectionProvider.Create("SomeName"));
}
Is this behavior intentional or am I doing something wrong?
270
OWIN (Open Web Interface for . NET) is a standard for an interface between . NET Web applications and Web servers. It is a community-owned open-source project. The OAuth authorization framework enables a third-party application to obtain limited access to a HTTP service.
It turns out token generation and verification use the machine key. To generate/verify, the websites need to have the same machineKey configured.
117
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
