1

I have an asp.net core 3.1 MVC project with IdentityServer4.AspNetIdentity 3.1.2. When a user has created, an email with a link including confirming email token is sent using worker service to the user's email address. (Note - token is created from asp.net core MVC project, only the email sending part is handled with the worker service)

A custom email confirmation token provider is used to generate the token with the TokenLifeSpan of 1 day and other default DataProtectionTokenProviders' TokenLifeSpans are set to 2 hours. When asp.net core MVC application is hosted in IIS, the token expires before the specified token life span (expires before 1 hour). But, when the visual studio, Project option is selected in the Launch section (launches with Kestrel) token life span duration works properly.

The code used for registering custom token providers and life spans are mentioned below.

          {
              
              options.Password.RequiredLength = 8;
              options.Password.RequireNonAlphanumeric = false;
              options.Password.RequireLowercase = false;
              options.Password.RequireUppercase = false;
              options.Password.RequireDigit = false;
              options.Tokens.EmailConfirmationTokenProvider = "CustomEmailConfirmation";
              options.Lockout.MaxFailedAccessAttempts = config.GetValue<int>("IdentityServerConfigurations:MaxFailedAccessAttempts");

          })
          .AddEntityFrameworkStores<UserDbContext>()
          .AddDefaultTokenProviders()
          .AddTokenProvider<CustomEmailConfirmationTokenProvider<ApplicationUser>>("CustomEmailConfirmation");

        
          services.Configure<DataProtectionTokenProviderOptions>(opt =>
             opt.TokenLifespan = TimeSpan.FromHours(2));

          services.Configure<CustomEmailConfirmationTokenProviderOptions>(opt =>
          opt.TokenLifespan = TimeSpan.FromDays(1));

Please help me with this issue.

Miluka De Silva
  • 11
  • 1
  • Are you running HTTPS in IIS as well? – Tore Nestenius May 23 '21 at 14:57
  • Yes I do use HTTPS – Miluka De Silva May 23 '21 at 15:48
  • 1
    another problem with IIS is that it might be sensitive with too large headers/cookies – Tore Nestenius May 24 '21 at 07:07
  • @ToreNestenius can you please provide more information on how large headers/cookies would affect this. – Miluka De Silva May 25 '21 at 14:17
  • Because IIS might be configured to reject to large requests and in ASP.NET Core, the cookeis can be quite large when you also store the tokens inside it. so its a potential error source .... see https://stackoverflow.com/questions/1097651/is-there-a-practical-http-header-length-limit – Tore Nestenius May 25 '21 at 14:48
  • @ToreNestenius thanks for your reply. But in my scenario, I use query string parameters and the URL is less than 2048 characters. There are no limits set for request filtering and cookies, using default values of iis. The example of the URL is ```https://localhost/IdentityServer/Account/ResetPassword?token=Q2ZESjhQMitzU2RsQlNCSm5XTVNtRVFIOUg2aDRGWFlOdG4rZjY5RjU4a2hRc&email=abc@gmail.com&returnUrl=http%3A%2F%2Flocalhost%3A4200%2Fdashboard%2Fdashboard-landing&InitialPasswordSet=True ``` – Miluka De Silva May 27 '21 at 06:04
  • There is no redeployment of the IIS service when it fails? – Tore Nestenius May 27 '21 at 06:40

0 Answers0