I've always stored the password hash and salt for most of my authentication sub-systems, but I notice the default IdentityUser class only has a hash and a Security stamp field, but no salt value.
Has storing the salt value fallen by the wayside, and does SecurityStamp add any safety in this regard, or should be extend the user and add a HashSalt field?
Identity stores password hash and salt in the same field in the database. Here is a good explanation how it works: https://stackoverflow.com/a/20622428/809357
As for Security Stamp - it has nothing to do with password or a hash. This only indicates if information about the user have been changed in the database and is compared to the values in auth-cookies. Security Stamp is put into auth-cookie as a claim. Password hash is never present on the cookie.
