What are a security token and security stamp in ASP.NET Identity?

Question

I need background about two features of ASP.NET Identity please:

1. Security token - What is it? is it a temporary password sent to the user's email?
2. Security Stamp - Is it something else than security tokens? If yes, what's its purpose? how are they different?

Thanks, ashilon

Answer 1

Try to answer your questions in order:

1. Tokens are used in Identity in several ways. You can use them to reset a password or confirm the email address of a user. Here you generate a token specific for the appropriate user which can be used for these two purposes. They will be send to the user, for example as a link to a view which handles the confirmation. You can also rewrite the token when giving it to the user (it is a very long one), but it is important that you undo your rewrite during the confirmation process. In general, when you refer to a token in Identity it means the bearer token for authenticating a user. This is a signed token which is not stored on the server.
2. The security timestamp is used for tracking changes made to the user profile. It is used for security purposes when important properties of a user change, such as changing the password. Normally you don't have to work with the timestamp directly, but if you're adding default users in a code-first approach when seeding the database you have to set the security timestamp. If you don't do so you have to do take some manual steps to use these users.

Most of these are mostly handled by Identity itself, but you will need some knowledge when you want to do some customization. If you want to dig deeper the blog of Brock Allen is a good resource, because the official documentation lacks some of the important things and is normally not up-to-date.