1

I'm currently learning authentication mechanisms used in ASP.NET Core 2.0. Now, I'm trying to find what method is used for generating email confirmation token, however I cannot find the information neither in documentation nor by browsing the source code.

So far, I found out that DataProtectorTokenProvider is the class responsible for generating the token. This is the exact method which is used to create the token:

public virtual async Task<string> GenerateAsync(string purpose, UserManager<TUser> manager, TUser user)
{
    if (user == null)
    {
        throw new ArgumentNullException(nameof(user));
    }
    var ms = new MemoryStream();
    var userId = await manager.GetUserIdAsync(user);
    using (var writer = ms.CreateWriter())
    {
        // ... Here the token generation is performed
    }
    var protectedBytes = Protector.Protect(ms.ToArray());
    return Convert.ToBase64String(protectedBytes);
}

The part which I cannot get is what is the default IDataProtectionProvider implementation, which is used in Protector.Protect(ms.ToArray()), and where it is registered. So my questions are:

  1. What is the default class used for protecting email confirmation token?
  2. Where is it registered?
  3. Can it be substituted with custom implementation when needed? If yes, how can this be achieved?

Thanks!

Community
  • 1
  • 1
PJDev
  • 951
  • 5
  • 20
  • I think this is somewhat related, as it goes over some DataProtectionProviders and options for overriding, but doesn't mention email tokens specifically: https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview?tabs=aspnetcore1x Probably default: https://learn.microsoft.com/en-us/aspnet/core/api/microsoft.aspnetcore.dataprotection.dataprotectionprovider – AaronLS Aug 22 '17 at 19:35
  • 1
    It looks like `IDataProtectionProvider` registration is here: https://github.com/aspnet/DataProtection/blob/dev/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs#L92. – Kirk Larkin Aug 22 '17 at 19:44
  • Thanks Kirk Larkin! It indeed seems to be the default registration. I've just come up with an idea that, in order to verify this, I can simply inject the `IDataProtectionProvider` interface to any of the controllers. And it also displayed `KeyRingBasedDataProtectionProvider` as the implementation. To answer my third question, I think that custom implementation can be injected in the same way as the default - by adding a singleton in the `Startup` class, which I'm going to verify in a while. If you create an answer, I will mark it as the correct one. – PJDev Aug 22 '17 at 19:57

1 Answers1

0

In order to answer your specific 3 questions:

  1. KeyRingBasedDataProtectionProvider (source), which creates instances of KeyRingBasedDataProtector (source).
  2. The line that registers the default IDataProtectionProvider is here.
  3. Try the approach offered in the answers over here: Replace service registration in ASP.NET Core built-in DI container?.
Kirk Larkin
  • 84,915
  • 16
  • 214
  • 203
  • Thanks for your help. Just to confirm the point 3, I did the following: 1) Create custom implementation of `IDataProtector` which simply returned token as plain text. 2) Create custom implementation of `IDataProtectionProvider` which was used to return the custom protector. 3) Add line: `services.AddSingleton(new CustomDPProvider());` in `Startup` class. This approach worked and the generated value was just base64 of token in plain text. – PJDev Aug 22 '17 at 21:21