8

I'm trying to implement password reset functionality with nightly build of ASP.NET Identity 1.1. There is a UserManager.GetPasswordResetToken method, but it throws an exception "No ITokenProvider is registered". Is there an built in token provider in ASP.NET Identity? If yes, how I can register it? If no, how I can implement one? Will be default Token Provider in the 1.1. release? And final question, is there an estimated 1.1 release date?

graycrow
  • 3,675
  • 6
  • 26
  • 28

4 Answers4

19

If someone looking for solution under AspNet.Identity 2.0 beta1 version.

Only this need to be modified.

UserManager.UserTokenProvider = new DataProtectorTokenProvider
<SecurityUser, string>(provider.Create("UserToken")) 
as IUserTokenProvider<SecurityUser, string>;

PasswordResetTokens and UserConfirmationTokens is merged into UserTokenProvider property and token provider class is also modified.

Vikash Kumar
  • 538
  • 7
  • 16
  • Where does DataProtectorTokenProvider come from ? – Pit Digger Apr 17 '14 at 14:27
  • It comes from `Microsoft.AspNet.Identity.Owin` namespace. – Vikash Kumar Apr 17 '14 at 14:32
  • Nope its not there in it . – Pit Digger Apr 17 '14 at 14:38
  • I am not sure which version are you using. You can look this class [link](http://www.symbolsource.org/MyGet/Metadata/aspnetwebstacknightly/Project/Microsoft.AspNet.Identity.Owin/2.0.0-beta1-140128/Release/Default/Microsoft.AspNet.Identity.Owin/Microsoft.AspNet.Identity.Owin/DataProtectorTokenProvider.cs?ImageName=Microsoft.AspNet.Identity.Owin) – Vikash Kumar Apr 17 '14 at 14:48
  • How would someone set the TokenLifespan to be different if both PasswordResetTokens and UserConfirmation tokens are merged into UserTokenProvider? – masterwok Jul 07 '14 at 17:38
  • Not sure if this facility is available. [Codeplex](https://aspnetidentity.codeplex.com/workitem/2228) – Vikash Kumar Jul 09 '14 at 08:23
  • 2
    @jtsan The Token lifespan is a public property so you can set it before each call. new DataProtectorTokenProvider(dataProtectionProvider.Create("ASP.NET Identity")){ TokenLifespan = new TimeSpan() }; – heymega Jul 25 '14 at 08:26
7

The default token provider implementation is found in the Microsoft.Identity.Owin package:

/// <summary>
/// Token provider that uses a DataProtector to generate encrypted tokens
/// </summary>
public class DataProtectorTokenProvider : ITokenProvider {
    public DataProtectorTokenProvider(IDataProtector protector)

And you do something like this to wire one up using the default data protection provider from your OWIN IAppBuilder

IDataProtectionProvider provider = app.GetDataProtectionProvider();
if (provider != null)
{
    manager.PasswordResetTokens = new DataProtectorTokenProvider(provider.Create("PasswordReset"));
    manager.UserConfirmationTokens = new DataProtectorTokenProvider(provider.Create("ConfirmUser"));
}
Nasreddine
  • 36,610
  • 17
  • 75
  • 94
Hao Kung
  • 28,040
  • 6
  • 84
  • 93
  • 3
    Thank you, looks promising. Just one question: how can I access IAppBuilder app from the place where I initializing UserManager (for example, from AccountController)? – graycrow Oct 24 '13 at 09:35
  • 1
    Which nightly build is this in? I'm using the 1.1.0-alpha1-131024 (Prerelease) packages and I don't see a `GetDataProtectionProvider` method. If there is a default token provider why aren't the `PasswordResetTokens` and `UserConfirmationTokens` properties already initialized with it so we don't have to jump through these hoops to be able to use them? Unless you need to change something about how the tokens are generated, this should "just work" out of the box without any extra work required or (to me at least) there isn't really a point in creating a default provider. – Scott Dorman Oct 24 '13 at 17:42
  • So the reason they are not part of Identity.Core and live in Identity.Owin is that Core cannot depend on Owin, and the default implementation comes from Owin. GetDataProtectionProvider lives in Microsoft.Owin.Security.DataProtection as an extension method off of IAppBuilder I believe. – Hao Kung Oct 24 '13 at 19:29
  • 1
    Found the method in the namespace you specified. I still think all of this should already be initialized out of the box. I shouldn't have to set any of this up unless I want to change how the token providers work. – Scott Dorman Oct 26 '13 at 04:10
  • It appears that for the account confirmation / forgot password features in ASP.NET Identity 2.0 alpha you need to redesign all of your initialization code for UserManager etc. Just take a look in this sample MVC app https://aspnet.codeplex.com/SourceControl/latest Samples->Identity->Identity-PasswordPolicy and compare it to a default RTM MVC 5 app and you will see the difference. There is a huge difference in the initialization stuff (check Startup.Auth.cs for instance) and will have a big impact on any MVC application using ASP.NET Identity 1.0 (current RTM). Not so good! – PussInBoots Jan 27 '14 at 17:28
  • In general the old 1.0 style will work as well, our prescriptive guidance and default samples will just be doing things differently since some of the new 2.0 features require the initialization. – Hao Kung Jan 27 '14 at 18:10
  • what is `GetDataProtectionProvider()` method ? – ManirajSS Sep 17 '15 at 14:01
5

Another way to do this (building on the other answers but simplifying it some) is to change Startup.Auth.cs so it looks similar to this:

public partial class Startup
{
    internal static IDataProtectionProvider DataProtectionProvider { get; private set; }

    public void ConfigureAuth(IAppBuilder app)
    {
        DataProtectionProvider = app.GetDataProtectionProvider();
    }
}

Then, modify the default constructor in AccountController.cs so that it looks similar to this:

 public AccountController()
     : this(new UserManager<ApplicationUser>(new UserStore<ApplicationUser>(new ApplicationDbContext())))
 {
     if (Startup.DataProtectionProvider != null)
     {
         this.UserManager.PasswordResetTokens = new DataProtectorTokenProvider(Startup.DataProtectionProvider.Create("PasswordReset"));
         this.UserManager.UserConfirmationTokens = new DataProtectorTokenProvider(Startup.DataProtectionProvider.Create("ConfirmUser"));
     }
 }
Scott Dorman
  • 42,236
  • 12
  • 79
  • 110
1

Ok, answering my own question based on @hao-kung reply. First add static constructor and UserManagerFactory to Statrup class (startup.auth.cs)

public partial class Startup
{
    static Startup()
    {
        UserManagerFactory = () => new UserManager<IdentityUser>(new UserStore<IdentityUser>());
    }

    public static Func<UserManager<IdentityUser>> UserManagerFactory { get; set; }

    public void ConfigureAuth(IAppBuilder app)
    {
        var manager = UserManagerFactory();
        IDataProtectionProvider provider = app.GetDataProtectionProvider();
        if (provider != null)
        {
            manager.PasswordResetTokens = new DataProtectorTokenProvider(provider.Create("PasswordReset"));
            manager.UserConfirmationTokens = new DataProtectorTokenProvider(provider.Create("ConfirmUser"));
        }


        app.UseCookieAuthentication(new CookieAuthenticationOptions());
        app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
    }
}

Then init UserManager in the AccountController using that UserManagerFactory

public AccountController() : this(Startup.UserManagerFactory())
{
}

public AccountController(UserManager<IdentityUser> userManager)
{
    UserManager = userManager;
}

public UserManager<IdentityUser> UserManager { get; private set; }
graycrow
  • 3,675
  • 6
  • 26
  • 28