0

I'm having a hard time trying to understand the correct way to configure IUserTokenProvider for my UserManager in my identity server. My goal with this is to be able to reset a user's password. First, I understand that I need to configure a provider such as: 

var provider = new DpapiDataProtectionProvider("MyAppName");

but I'm not sure where I should put this code. Would it be on my UserManager constructor?

This is how my constructor looks like right now, but it doesn't seems to be right, otherwise, how would I change the purpose for the validation and creation? 

public UserManager(UserStore store)
            : base(store)
        {

            var provider = new DpapiDataProtectionProvider("MyAppName");
            UserTokenProvider = new DataProtectorTokenProvider<User>(provider.Create("EmailConfirmation"));
        }

And one last question, does this provider automatically handle situations where a token was successfully used before in order to protect against further malicious requests?

PS: I'm using EntityFramework behind it.

Bruno Casarotti
  • 623
  • 8
  • 23

1 Answers1

0

You could do something like this if it's a public property (this is how a lot of Identity examples handle it).

        var provider = new DpapiDataProtectionProvider("MyAppName");
        var userManager = new UserManager(userStore)
        {
            UserTokenProvider = new DataProtectorTokenProvider<User>(provider.Create("EmailConfirmation"))
        };

And as for the last question, if you're using the EntityFramework (or any implementation that supports SecurityStamps for that matter), yes you are protected. What is ASP.NET Identity's IUserSecurityStampStore<TUser> interface? is a good starting reference for understanding SecurityStamps.

user3508122
  • 664
  • 3
  • 10