9

I have two questions concerning ASP.Identity 2.0 "GenerateEmailConfirmationToken/GenerateEmailConfirmationTokenAsync" methods.

// Generate token
var token = Url.Encode(await UserManager.GenerateEmailConfirmationTokenAsync(user.Id));
  1. Is this token stored in the database? I guess it should. But in which field? I just find "PasswordHash" and "SecurityStamp" on the User table. Both don't seem to match.
  2. I was under the impression that once I generate an email token, the EmailConfirmed field of the User table would be set to false. But it stays true. So, what is the purpose of creating a token if the corresponding user account stays confirmed? Or in other words: What do I need to do in order to generate a new token AND also set the account to NOT confirmed?
Ingmar
  • 1,525
  • 6
  • 34
  • 51
  • 1
    See this answer: http://stackoverflow.com/a/27137659/809357 – trailmax Jan 07 '15 at 23:10
  • And this one: http://stackoverflow.com/a/27677587/809357 – trailmax Jan 07 '15 at 23:10
  • possible duplicate of [What are a security token and security stamp in ASP.NET Identity?](http://stackoverflow.com/questions/27677345/what-are-a-security-token-and-security-stamp-in-asp-net-identity) – trailmax Jan 07 '15 at 23:11
  • 1
    Hi trailmax, thanks for your researches. But I am not 100% sure if the AuthenticationToken is the same as the token that is being generated by GenerateEmailConfirmationToken(). I am pretty sure those are two different things. But in the end, maybe what is being said about the AuthenticationToken applies to the email confirmation token as well: they are both NOT stored in the database, but rely on some calculation/checksum. – Ingmar Jan 08 '15 at 07:31
  • However, I am still looking for an answer to my 2nd question. Actually this is the important one to me. I am trying to understand the role of the EmailConfirmed field. My goal is: Once I issue a token (and send it to the corresponding user by email), I want the ConfirmedEmail field be set to false - so I will not accept another login until the user has confirmed the token. Of course I could set EmailConfirmed=false manually, but I am still hoping that all this should be built-in ... so, any more tipps are still appreciated since I really didn't find anything for this on the web. – Ingmar Jan 08 '15 at 07:35
  • 1
    Tokens are not stored in the DB - they are crypto-calculated based on `SecurityStamp`. `EmailConfirmed` field is for you to set and check when needed. As far as I remember, unconfirmed email does not stop users logging-in, so you need to check that yourself. – trailmax Jan 08 '15 at 09:15
  • Ok, so you think I didn't miss anything? Setting EmailComfirmed manually is the way to go? Well, good then ... ;-) Thanks for you help, trailmax. I would like to accept your answer(s), but unfortunately I can't since you added comments only. So, thanks again!!! – Ingmar Jan 08 '15 at 14:33
  • Glad you got your answers. See my summary for points-sake -)) – trailmax Jan 08 '15 at 15:34

1 Answers1

7

To summarise the discussion in comments: tokens are not stored anywhere - they are crypto-generated (not exactly sure about exact process of generation) from SecruityStamp and when they are coming back, they can be de-crypted and compared.

As for EmailConfirmed field - this is for you to maintain and look after. You'll manually need to deny login for users with no confirmed email. And you'll need to set the flag when email confirmation does come through.

trailmax
  • 34,305
  • 22
  • 140
  • 234