19

Is there a way to revoke for example an email conformation token generated by an usermanager in ASP NET Identity 2.0?

Context
I would like to give the user the possibility to resend an confirmation email. To do this I generate a new token with: UserManager.GenerateEmailConfirmationTokenAsync(user.Id), and send an email with the new generated token. Unfortunately when I do this the previously generated tokens are still working, is there a way to revoke them?

Example code
In the UserManager class:

manager.UserTokenProvider = new DataProtectorTokenProvider<ApplicationUser>(options.DataProtectionProvider.Create("ASP.NET Identity"));

In the AccountController:

var user = await UserManager.FindByEmailAsync("email");

// All generated tokens below will work to confirm the email. 
// I only want the last token to be valid when confirming the email address.
var token1 = await UserManager.GenerateEmailConfirmationTokenAsync(user.Id);
var token2 = await UserManager.GenerateEmailConfirmationTokenAsync(user.Id);
var token3 = await UserManager.GenerateEmailConfirmationTokenAsync(user.Id);
var token4 = await UserManager.GenerateEmailConfirmationTokenAsync(user.Id);
var token5 = await UserManager.GenerateEmailConfirmationTokenAsync(user.Id);

var result = await UserManager.ConfirmEmailAsync(user.Id, token5);

Information about the storage location of the generated token and how these tokens are generated are also welcome!

I will be grateful if you can send me this information.

Jimmy van den Berg
  • 474
  • 1
  • 3
  • 9

1 Answers1

31

The default UserTokenProvider generates tokens based on the users's SecurityStamp, so until that changes(like when the user's password changes), the tokens will always be the same, and remain valid. So if you want to simply invalidate old tokens, just call

manager.UpdateSecurityStampAsync();
rae1
  • 6,066
  • 4
  • 27
  • 48
Hao Kung
  • 28,040
  • 6
  • 84
  • 93
  • 2
    Thanks @HaoKung this works indeed. For people who need more information about the working of SecurityStamp check **[this answer](http://stackoverflow.com/questions/19487322/what-is-asp-net-identitys-iusersecuritystampstoretuser-interface/19505060#19505060)** also from Hao Kung. – Jimmy van den Berg Apr 03 '14 at 07:35
  • 2
    @HaoKung I have created multiple tokens, and found that they are all different, and confirmed that the SecurityStamp never changed. I am confused. How does it generate different tokens from a SecurityStamp that isn't changing, and how do all those different tokens work? – Matthew May 21 '14 at 19:47
  • 2
    There is more than just the stamp in the token, its self signed and contains the expires time in the token, so it will not generate the same token if you call it more than once. You can write your own token provider if you want it to be stable against the security stamp only. – Hao Kung May 22 '14 at 22:35
  • The useful piece of info for me about Security Stamp. The one account I was testing against was the only one without a security stamp, go figure. Thanks Hao Kung – Mark OB Dec 11 '14 at 16:20
  • @HaoKung for me it looks like `GeneratePasswordResetTokenAsync` generates different tokens every time and our legacy DB does not have `SecurityStamp` column so I was wondering how it still generates them and couldn't find an answer anywhere until I actually went to see the Identity source code. It seems like the token includes the date, userId and purpose and then checks whether Store implements `IUserSecurityStampStore` interface, if it doesn't it just doesn't use it. So all in all, I can't see how the token can always be the same if it includes the actual date. – dima Jun 24 '15 at 19:28