UserManager: GenerateEmailConfirmationTokenAsync() and ConfirmEmailAsync() in different web applications

Question

I have 2 ASP MVC Core web applications (referencing Microsoft.AspNetCore.App, Version 2.1.1). Both running locally in Visual Studio on my machine.

1. If I call inside 1st web application

    var code = await _userManager.GenerateEmailConfirmationTokenAsync(user);

2. and then on the 2nd web application

    var result = await _userManager.ConfirmEmailAsync(user, code);

I got the result "Invalid token.".

---

I've read ASP.NET Core 2.0 - ASP.NET Identity - Invalid Token Error but my issue is different. It doesn't work locally, too!

(I guess setting the machineKey wouldn't help because both applications are running on my local machine. And even if I have no web.config locally.)

Answer 1

The token is persisted to the database, so all you need is to be able to properly decrypt it on the other side. For that, if both your apps are ASP.NET Core, then you need only setup the data protection providers for both apps to connect to the same external store and use the same application name. The external store could be a network location, mapped drive, Azure Key Vault, etc. You should review the full documentation, but essentially:

services.AddDataProtection()
    .SetApplicationName("shared app name")
    .PersistKeysToFileSystem(new DirectoryInfo(@"\\server\share\directory\"));

You may or may not need to assign one app as a primary key ring manager. By default, each app will rotate keys automatically, which could potentially be an issue if you have multiple apps sharing the same keys. You can disable key rotation on a per app basis via:

services.AddDataProtection()
    .DisableAutomaticKeyGeneration();

Essentially, you'd add this to all subordinate apps, leaving only the one you designate as the primary to rotate keys.