c# - Asp.NET Identity 2 giving "Invalid Token" error

Question

I'm using Asp.Net-Identity-2 and I'm trying to verify email verification code using the below method. But I am getting an "Invalid Token" error message.

• My Application's User Manager is like this:

  public class AppUserManager : UserManager<AppUser>
  {
      public AppUserManager(IUserStore<AppUser> store) : base(store) { }
  
      public static AppUserManager Create(IdentityFactoryOptions<AppUserManager> options, IOwinContext context)
      {
          AppIdentityDbContext db = context.Get<AppIdentityDbContext>();
          AppUserManager manager = new AppUserManager(new UserStore<AppUser>(db));
  
          manager.PasswordValidator = new PasswordValidator { 
              RequiredLength = 6,
              RequireNonLetterOrDigit = false,
              RequireDigit = false,
              RequireLowercase = true,
              RequireUppercase = true
          };
  
          manager.UserValidator = new UserValidator<AppUser>(manager)
          {
              AllowOnlyAlphanumericUserNames = true,
              RequireUniqueEmail = true
          };
  
          var dataProtectionProvider = options.DataProtectionProvider;
  
          //token life span is 3 hours
          if (dataProtectionProvider != null)
          {
              manager.UserTokenProvider =
                 new DataProtectorTokenProvider<AppUser>
                    (dataProtectionProvider.Create("ConfirmationToken"))
                 {
                     TokenLifespan = TimeSpan.FromHours(3)
                 };
          }
  
          manager.EmailService = new EmailService();
  
          return manager;
      } //Create
    } //class
  } //namespace
  

• My Action to generate the token is (and even if I check the token here, I get "Invalid token" message):

  [AllowAnonymous]
  [HttpPost]
  [ValidateAntiForgeryToken]
  public ActionResult ForgotPassword(string email)
  {
      if (ModelState.IsValid)
      {
          AppUser user = UserManager.FindByEmail(email);
          if (user == null || !(UserManager.IsEmailConfirmed(user.Id)))
          {
              // Returning without warning anything wrong...
              return View("../Home/Index");
  
          } //if
  
          string code = UserManager.GeneratePasswordResetToken(user.Id);
          string callbackUrl = Url.Action("ResetPassword", "Admin", new { Id = user.Id, code = HttpUtility.UrlEncode(code) }, protocol: Request.Url.Scheme);
  
          UserManager.SendEmail(user.Id, "Reset password Link", "Use the following  link to reset your password: <a href="" + callbackUrl + "">link</a>");
  
          //This 2 lines I use tho debugger propose. The result is: "Invalid token" (???)
          IdentityResult result;
          result = UserManager.ConfirmEmail(user.Id, code);
      }
  
      // If we got this far, something failed, redisplay form
      return View();
  
  } //ForgotPassword
  

• My Action to check the token is (here, I always get "Invalid Token" when I check the result):

  [AllowAnonymous]
  public async Task<ActionResult> ResetPassword(string id, string code)
  {
  
      if (id == null || code == null)
      {
          return View("Error", new string[] { "Invalid params to reset password." });
      }
  
      IdentityResult result;
  
      try
      {
          result = await UserManager.ConfirmEmailAsync(id, code);
      }
      catch (InvalidOperationException ioe)
      {
          // ConfirmEmailAsync throws when the id is not found.
          return View("Error", new string[] { "Error to reset password:<br/><br/><li>" + ioe.Message + "</li>" });
      }
  
      if (result.Succeeded)
      {
          AppUser objUser = await UserManager.FindByIdAsync(id);
          ResetPasswordModel model = new ResetPasswordModel();
  
          model.Id = objUser.Id;
          model.Name = objUser.UserName;
          model.Email = objUser.Email;
  
          return View(model);
      }
  
      // If we got this far, something failed.
      string strErrorMsg = "";
      foreach(string strError in result.Errors)
      {
          strErrorMsg += "<li>" + strError + "</li>";
      } //foreach
  
      return View("Error", new string[] { strErrorMsg });
  
  } //ForgotPasswordConfirmation
  

I don't know what could be missing or what's wrong...

Answer 1

I encountered this problem and resolved it. There are several possible reasons.

1. URL-Encoding issues (if problem occurring "randomly")

If this happens randomly, you might be running into url-encoding problems. For unknown reasons, the token is not designed for url-safe, which means it might contain invalid characters when being passed through a url (for example, if sent via an e-mail).

In this case, HttpUtility.UrlEncode(token) and HttpUtility.UrlDecode(token) should be used.

As o?o Pereira said in his comments, UrlDecode is not (or sometimes not?) required. Try both please. Thanks.

2. Non-matching methods (email vs password tokens)

For example:

    var code = await userManager.GenerateEmailConfirmationTokenAsync(user.Id);

and

    var result = await userManager.ResetPasswordAsync(user.Id, code, newPassword);

The token generated by the email-token-provide cannot be confirmed by the reset-password-token-provider.

But we will see the root cause of why this happens.

3. Different instances of token providers

Even if you are using:

var token = await _userManager.GeneratePasswordResetTokenAsync(user.Id);

along with

var result = await _userManager.ResetPasswordAsync(user.Id, HttpUtility.UrlDecode(token), newPassword);

the error still could happen.

My old code shows why:

public class AccountController : Controller
{
    private readonly UserManager _userManager = UserManager.CreateUserManager(); 

    [AllowAnonymous]
    [HttpPost]
    public async Task<ActionResult> ForgotPassword(FormCollection collection)
    {
        var token = await _userManager.GeneratePasswordResetTokenAsync(user.Id);
        var callbackUrl = Url.Action("ResetPassword", "Account", new { area = "", UserId = user.Id, token = HttpUtility.UrlEncode(token) }, Request.Url.Scheme);

        Mail.Send(...);
    }

and:

public class UserManager : UserManager<IdentityUser>
{
    private static readonly UserStore<IdentityUser> UserStore = new UserStore<IdentityUser>();
    private static readonly UserManager Instance = new UserManager();

    private UserManager()
        : base(UserStore)
    {
    }

    public static UserManager CreateUserManager()
    {
        var dataProtectionProvider = new DpapiDataProtectionProvider();
        Instance.UserTokenProvider = new DataProtectorTokenProvider<IdentityUser>(dataProtectionProvider.Create());

        return Instance;
    }

Pay attention that in this code, every time when a UserManager is created (or new-ed), a new dataProtectionProvider is generated as well. So when a user receives the email and clicks the link:

public class AccountController : Controller
{
    private readonly UserManager _userManager = UserManager.CreateUserManager();
    [HttpPost]
    [AllowAnonymous]
    [ValidateAntiForgeryToken]
    public async Task<ActionResult> ResetPassword(string userId, string token, FormCollection collection)
    {
        var result = await _userManager.ResetPasswordAsync(user.Id, HttpUtility.UrlDecode(token), newPassword);
        if (result != IdentityResult.Success)
            return Content(result.Errors.Aggregate("", (current, error) => current + error + "
"));
        return RedirectToAction("Login");
    }

The AccountController is no longer the old one, and neither are the _userManager and its token provider. So the new token provider will fail because it has no that token in it's memory.

Thus we need to use a single instance for the token provider. Here is my new code and it works fine:

public class UserManager : UserManager<IdentityUser>
{
    private static readonly UserStore<IdentityUser> UserStore = new UserStore<IdentityUser>();
    private static readonly UserManager Instance = new UserManager();

    private UserManager()
        : base(UserStore)
    {
    }

    public static UserManager CreateUserManager()
    {
        //...
        Instance.UserTokenProvider = TokenProvider.Provider;

        return Instance;
    }

and:

public static class TokenProvider
{
    [UsedImplicitly] private static DataProtectorTokenProvider<IdentityUser> _tokenProvider;

    public static DataProtectorTokenProvider<IdentityUser> Provider
    {
        get
        {

            if (_tokenProvider != null)
                return _tokenProvider;
            var dataProtectionProvider = new DpapiDataProtectionProvider();
            _tokenProvider = new DataProtectorTokenProvider<IdentityUser>(dataProtectionProvider.Create());
            return _tokenProvider;
        }
    }
}

It could not be called an elegant solution, but it hit the root and solved my problem.