CODEWITHSUNDEEP
asp.net-coreasp.net-core-3.0asp.net-core-identityasp.net-core-3.1
Miguel Moura
Miguel Moura

Reputation: 39404

Create shorter tokens with small lifespan in ASP.NET Core Identity

Using ASP.NET Core 3.1 I am creating an User's Email confirmation token to send by email:

String token = await _userManager.GenerateEmailConfirmationTokenAsync(user);

And I get the following:

CfDJ8IjJLi0iO61KsS5NTyS4wJkSvCyzEDUBaVlXCkbxz6zwI1LocG8+WPubx5Rvoi4tFuiWAVFut4gfTnhgsdihE0gY+o7JyJrNtfXmzGLnczwbKZ3Wwy15+IUEi1h2qId72IRKvFqBSFv7rJdECSR/thZphpTQm7EnOuAA7loHlQFRWuMUVBce8HUsv1odbLNsKQ==

How can I create shorter tokens with a small lifespan instead of huge tokens?

Upvotes: 3

Views: 2480

Answers (2)

timur
timur

Reputation: 14577

If I understand the problem, you're looking at swapping out a TokenProvider, which can either be done at service container configuration stage

TokenProvider.cs

public class TokenProvider : IUserTwoFactorTokenProvider<IdentityUser>
    {
        public Task<string> GenerateAsync(string purpose, UserManager<IdentityUser> manager, IdentityUser user)
        {
            // generate your token here
        }

        public Task<bool> ValidateAsync(string purpose, string token, UserManager<IdentityUser> manager, IdentityUser user)
        {
            // validate your token here
        }

        public Task<bool> CanGenerateTwoFactorTokenAsync(UserManager<IdentityUser> manager, IdentityUser user)
        {
            // check if user has email and it's been confirmed. or do your own logic
        }
    }

inject into your container at build time

services.AddIdentityCore<IdentityUser>(o =>
{
    o.Tokens.EmailConfirmationTokenProvider = "MyTokenProvider";
}).AddEntityFrameworkStores<IdentityDbContext>()
.AddTokenProvider<TokenProvider>("MyTokenProvider");

or at run time:

_userManager.RegisterTokenProvider(um.Options.Tokens.ChangeEmailTokenProvider, new TokenProvider());
String token = await _userManager.GenerateEmailConfirmationTokenAsync(user);

there are a few token providers available to you by default (Email, PhoneNumber and Authenticator being some), which you can explore and build upon. As far as I can see the source, EmailTokenProvider defers actual code generation to TotpSecurityStampBasedTokenProvider which you can explore and see if your lifetime requirement can be changed by playing with the TOTP algorithm it implements

Upvotes: 4

Chris Pratt
Chris Pratt

Reputation: 239300

Lifespan doesn't factor in here either way. However, I think what you're actually talking about is an TOTP (timed one-time use password) - like the ones you get via SMS or an authenticator app. ASP.NET Core actually has TOTP providers built-in; they're just not used for things like email confirmation, password reset, etc. by default. However, that's easily changed:

services.Configure<IdentityOptions>(o =>
{
    o.Tokens.EmailConfirmationTokenProvider = TokenOptions.DefaultEmailProvider;
});

Oddly enough, despite being called DefaultEmailProvider, that provider is not actually used by default for things like email confirmations. It's actually referring to being the default TOTP provider for 2FA codes delivered via email. Nevertheless, you can set it as the provider for email confirmation, as well.

Upvotes: 1

Related Questions