Aspnet Core 1.0 Identity User Manager ConfirmEmailAsync returns InvalidToken

Question

When the user clicks the Confirm Email link in the email they receive, the url directs the user to the ConfirmEmailAsync method in the Account Controller. This method then returns the result of the call to the Email Token Provider.

 var result = await _userManager.ConfirmEmailAsync(user, code);

I have captured the generated email token when the user registers and the token that is passed in the code variable above and they are identical.

I have tried Base64 encoding and decoding with no success, although I believe this is done automatically by the asp-net-core-identity-token-providers.

Any ideas ?

Answer 1

Generated tokens through identity are tied to the SecurityStamp on the user. If the stamp is updated for any reason, all previously sent tokens are invalidated. Changing or setting a password would cause this to happen.

This could be an order of operations problem. Do you by chance save the register password after you send the email to validate the email they provided?

For instance, this will fail:

• Send email with token
• Save the register info like the password
• Try to use the token.

Instead, this should work:

• Save the register info
• Send email with token
• Try to use token

That scenario is just an example as I can't be sure that is the way your code is setup. That said, if the tokens are the same, it is likely the securitystamp that is the problem. Keep tabs on it in your database throughout the process and see if something is updating it.