I would like to know if it is possible to check ASP.NET Identity user tokens on website 1 generated on website 2.
In my case, both sites actually use the same UserManager , which is defined in the assembly that both sites use. Startup.Auth.cs is identical for the two sites. However, the token generated on the first site cannot be verified on another.
Code used on the first website to create a token:
string userId = User.Identity.GetUserId(); var manager = HttpContext.GetOwinContext().GetUserManager<ApplicationUserManager>(); string token = await manager.GenerateUserTokenAsync("SomePurpose", userId);
It is then passed as request parameters to another website:
var manager = HttpContext.GetOwinContext().GetUserManager<ApplicationUserManager>(); if (await manager.VerifyUserTokenAsync(userId, "SomePurpose", token)) {
In this case, validation always fails. If I check the token on the same site on which it was generated, it passes.
Here, how the token provider is assigned in ApplicationUserManager ( options.DataProtectionProvider is of type CallDataProtectionProvider at runtime):
var dataProtectionProvider = options.DataProtectionProvider; if (dataProtectionProvider != null) { manager.UserTokenProvider = new DataProtectorTokenProvider<UserProfile>(dataProtectionProvider.Create("SomeName")); }
Is this behavior intentional or am I doing something wrong?
Knelis
source share