Asp.NET Identity 2 giving "Invalid Token" error

Asked 20/8, 2014 at 12:55 Answered 8/8, 2023 at 10:21

Solved c#asp.net asp.net-mvc-5 asp.net-identity-2

I'm using Asp.Net-Identity-2 and I'm trying to verify email verification code using the below method. But I am getting an "Invalid Token" error message.

My Application's User Manager is like this:

public class AppUserManager : UserManager<AppUser>
{
    public AppUserManager(IUserStore<AppUser> store) : base(store) { }

    public static AppUserManager Create(IdentityFactoryOptions<AppUserManager> options, IOwinContext context)
    {
        AppIdentityDbContext db = context.Get<AppIdentityDbContext>();
        AppUserManager manager = new AppUserManager(new UserStore<AppUser>(db));

        manager.PasswordValidator = new PasswordValidator { 
            RequiredLength = 6,
            RequireNonLetterOrDigit = false,
            RequireDigit = false,
            RequireLowercase = true,
            RequireUppercase = true
        };

        manager.UserValidator = new UserValidator<AppUser>(manager)
        {
            AllowOnlyAlphanumericUserNames = true,
            RequireUniqueEmail = true
        };

        var dataProtectionProvider = options.DataProtectionProvider;

        //token life span is 3 hours
        if (dataProtectionProvider != null)
        {
            manager.UserTokenProvider =
               new DataProtectorTokenProvider<AppUser>
                  (dataProtectionProvider.Create("ConfirmationToken"))
               {
                   TokenLifespan = TimeSpan.FromHours(3)
               };
        }

        manager.EmailService = new EmailService();

        return manager;
    } //Create
  } //class
} //namespace

My Action to generate the token is (and even if I check the token here, I get "Invalid token" message):

[AllowAnonymous]
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult ForgotPassword(string email)
{
    if (ModelState.IsValid)
    {
        AppUser user = UserManager.FindByEmail(email);
        if (user == null || !(UserManager.IsEmailConfirmed(user.Id)))
        {
            // Returning without warning anything wrong...
            return View("../Home/Index");

        } //if

        string code = UserManager.GeneratePasswordResetToken(user.Id);
        string callbackUrl = Url.Action("ResetPassword", "Admin", new { Id = user.Id, code = HttpUtility.UrlEncode(code) }, protocol: Request.Url.Scheme);

        UserManager.SendEmail(user.Id, "Reset password Link", "Use the following  link to reset your password: <a href=\"" + callbackUrl + "\">link</a>");

        //This 2 lines I use tho debugger propose. The result is: "Invalid token" (???)
        IdentityResult result;
        result = UserManager.ConfirmEmail(user.Id, code);
    }

    // If we got this far, something failed, redisplay form
    return View();

} //ForgotPassword

My Action to check the token is (here, I always get "Invalid Token" when I check the result):

[AllowAnonymous]
public async Task<ActionResult> ResetPassword(string id, string code)
{

    if (id == null || code == null)
    {
        return View("Error", new string[] { "Invalid params to reset password." });
    }

    IdentityResult result;

    try
    {
        result = await UserManager.ConfirmEmailAsync(id, code);
    }
    catch (InvalidOperationException ioe)
    {
        // ConfirmEmailAsync throws when the id is not found.
        return View("Error", new string[] { "Error to reset password:<br/><br/><li>" + ioe.Message + "</li>" });
    }

    if (result.Succeeded)
    {
        AppUser objUser = await UserManager.FindByIdAsync(id);
        ResetPasswordModel model = new ResetPasswordModel();

        model.Id = objUser.Id;
        model.Name = objUser.UserName;
        model.Email = objUser.Email;

        return View(model);
    }

    // If we got this far, something failed.
    string strErrorMsg = "";
    foreach(string strError in result.Errors)
    {
        strErrorMsg += "<li>" + strError + "</li>";
    } //foreach

    return View("Error", new string[] { strErrorMsg });

} //ForgotPasswordConfirmation

I don't know what could be missing or what's wrong...

Drawer answered 20/8, 2014 at 12:55 Comment(0)

Because you are generating token for password reset here:

string code = UserManager.GeneratePasswordResetToken(user.Id);

But actually trying to validate token for email:

result = await UserManager.ConfirmEmailAsync(id, code);

These are 2 different tokens.

In your question you say that you are trying to verify email, but your code is for password reset. Which one are you doing?

If you need email confirmation, then generate token via

var emailConfirmationCode = await UserManager.GenerateEmailConfirmationTokenAsync(user.Id);

and confirm it via

var confirmResult = await UserManager.ConfirmEmailAsync(userId, code);

If you need password reset, generate token like this:

var code = await UserManager.GeneratePasswordResetTokenAsync(user.Id);

and confirm it like this:

var resetResult = await userManager.ResetPasswordAsync(user.Id, code, newPassword);

Brassbound answered 20/8, 2014 at 13:28 Comment(2)

How to make ConfirmEmailAsync return failed instead of success, if that token is already being used once. Like user tries to revisits the link from his/her email address? – Electrolytic 17/12, 2019 at 15:19

@Electrolytic to make token invalid, you need to change SecurityStamp field. This will invalidate all the previously valid tokens, including those that have been used in the past. – Brassbound 17/12, 2019 at 22:49

109

I encountered this problem and resolved it. There are several possible reasons.

1. URL-Encoding issues (if problem occurring "randomly")

If this happens randomly, you might be running into url-encoding problems. For unknown reasons, the token is not designed for url-safe, which means it might contain invalid characters when being passed through a url (for example, if sent via an e-mail).

In this case, HttpUtility.UrlEncode(token) and HttpUtility.UrlDecode(token) should be used.

As oão Pereira said in his comments, UrlDecode is not (or sometimes not?) required. Try both please. Thanks.

2. Non-matching methods (email vs password tokens)

For example:

    var code = await userManager.GenerateEmailConfirmationTokenAsync(user.Id);

and

    var result = await userManager.ResetPasswordAsync(user.Id, code, newPassword);

The token generated by the email-token-provide cannot be confirmed by the reset-password-token-provider.

But we will see the root cause of why this happens.

3. Different instances of token providers

Even if you are using:

var token = await _userManager.GeneratePasswordResetTokenAsync(user.Id);

along with

var result = await _userManager.ResetPasswordAsync(user.Id, HttpUtility.UrlDecode(token), newPassword);

the error still could happen.

My old code shows why:

public class AccountController : Controller
{
    private readonly UserManager _userManager = UserManager.CreateUserManager(); 

    [AllowAnonymous]
    [HttpPost]
    public async Task<ActionResult> ForgotPassword(FormCollection collection)
    {
        var token = await _userManager.GeneratePasswordResetTokenAsync(user.Id);
        var callbackUrl = Url.Action("ResetPassword", "Account", new { area = "", UserId = user.Id, token = HttpUtility.UrlEncode(token) }, Request.Url.Scheme);

        Mail.Send(...);
    }

and:

public class UserManager : UserManager<IdentityUser>
{
    private static readonly UserStore<IdentityUser> UserStore = new UserStore<IdentityUser>();
    private static readonly UserManager Instance = new UserManager();

    private UserManager()
        : base(UserStore)
    {
    }

    public static UserManager CreateUserManager()
    {
        var dataProtectionProvider = new DpapiDataProtectionProvider();
        Instance.UserTokenProvider = new DataProtectorTokenProvider<IdentityUser>(dataProtectionProvider.Create());

        return Instance;
    }

Pay attention that in this code, every time when a UserManager is created (or new-ed), a new dataProtectionProvider is generated as well. So when a user receives the email and clicks the link:

public class AccountController : Controller
{
    private readonly UserManager _userManager = UserManager.CreateUserManager();
    [HttpPost]
    [AllowAnonymous]
    [ValidateAntiForgeryToken]
    public async Task<ActionResult> ResetPassword(string userId, string token, FormCollection collection)
    {
        var result = await _userManager.ResetPasswordAsync(user.Id, HttpUtility.UrlDecode(token), newPassword);
        if (result != IdentityResult.Success)
            return Content(result.Errors.Aggregate("", (current, error) => current + error + "\r\n"));
        return RedirectToAction("Login");
    }

The AccountController is no longer the old one, and neither are the _userManager and its token provider. So the new token provider will fail because it has no that token in it's memory.

Thus we need to use a single instance for the token provider. Here is my new code and it works fine:

public class UserManager : UserManager<IdentityUser>
{
    private static readonly UserStore<IdentityUser> UserStore = new UserStore<IdentityUser>();
    private static readonly UserManager Instance = new UserManager();

    private UserManager()
        : base(UserStore)
    {
    }

    public static UserManager CreateUserManager()
    {
        //...
        Instance.UserTokenProvider = TokenProvider.Provider;

        return Instance;
    }

and:

public static class TokenProvider
{
    [UsedImplicitly] private static DataProtectorTokenProvider<IdentityUser> _tokenProvider;

    public static DataProtectorTokenProvider<IdentityUser> Provider
    {
        get
        {

            if (_tokenProvider != null)
                return _tokenProvider;
            var dataProtectionProvider = new DpapiDataProtectionProvider();
            _tokenProvider = new DataProtectorTokenProvider<IdentityUser>(dataProtectionProvider.Create());
            return _tokenProvider;
        }
    }
}

It could not be called an elegant solution, but it hit the root and solved my problem.

Halstead answered 11/3, 2015 at 10:17 Comment(5)

Just one note to this awesome answer! :) The token MUST be UrlEncoded, but it shouldn't be UrlDecoded, at least in MVC when received as a method parameter, since it is automatically decoded. If we decode it again, we invalidate the token since the + character gets replaced with a white space. – Throat 19/6, 2016 at 22:32

this solved not my problem bc i need to use the tokens across projects, instances and computers. i implemented a custom AES encryption for this, see my answer for details: https://mcmap.net/q/128275/-asp-net-identity-2-giving-quot-invalid-token-quot-error – Volatilize 29/5, 2019 at 8:20

Solved the issue in an Asp Net Core 3.1 application using the solution #3 – Matrilocal 22/4, 2020 at 23:42

I hit this answer again. The last time I solved it using a single instance of the UserManager registering the service that consumes the UserManager as singleton. In this other projcet instead if I do the same it throws an exception saying I can't register that service as singleton because UserManager requires a Transient scope. Your solution above doesn't compile (lot of issues I can report). So what might be a valid fix for this? The problem is clearly the #3 (different instances of token providers) – Matrilocal 15/7, 2020 at 8:20

I fixed it again. The issue was caused by the lack of SecurityStamp column in the User table. I had removed it but without that column it doesn't work – Matrilocal 15/7, 2020 at 9:6

Because you are generating token for password reset here:

string code = UserManager.GeneratePasswordResetToken(user.Id);

But actually trying to validate token for email:

result = await UserManager.ConfirmEmailAsync(id, code);

These are 2 different tokens.

In your question you say that you are trying to verify email, but your code is for password reset. Which one are you doing?

If you need email confirmation, then generate token via

var emailConfirmationCode = await UserManager.GenerateEmailConfirmationTokenAsync(user.Id);

and confirm it via

var confirmResult = await UserManager.ConfirmEmailAsync(userId, code);

If you need password reset, generate token like this:

var code = await UserManager.GeneratePasswordResetTokenAsync(user.Id);

and confirm it like this:

var resetResult = await userManager.ResetPasswordAsync(user.Id, code, newPassword);

Brassbound answered 20/8, 2014 at 13:28 Comment(2)

I was getting the "Invalid Token" error even with code like this:

var emailCode = UserManager.GenerateEmailConfirmationToken(id);
var result = UserManager.ConfirmEmail(id, emailCode);

In my case the problem turned out to be that I was creating the user manually and adding him to the database without using the UserManager.Create(...) method. The user existed in the database but without a security stamp.

It's interesting that the GenerateEmailConfirmationToken returned a token without complaining about the lack of security stamp, but that token could never be validated.

Gallinule answered 28/4, 2015 at 17:45 Comment(4)

In my case the users had been migrated from an old database so had null Security Stamps, I ran this to fix it: UPDATE AspNetUsers SET SecurityStamp = NewID() – Pazia 4/7, 2016 at 21:36

I suggest using UPDATE AspNetUsers SET SecurityStamp = NewID() WHERE SecurityStamp is null . In my case, SecurityStamp of some users are fine, I prefer to don't mess with them. – Enplane 1/10, 2017 at 16:7

One thing to keep in mind is that Identity, left to its own devices, generates guids in lowercase, whereas NewID() returns an uppercase guid (at least in SSMS). Consider using LOWER(NewID()) – Burtburta 1/11, 2019 at 15:1

For me it was actually on checking the token. I pulled user by my repo instead of UserManager, so called with my repo user the ResetPasswordAsync. Same issue basically – Inclinometer 9/11, 2019 at 16:59

Other than that, I've seen the code itself fail if it's not encoded.

I've recently started encoding mine in the following fashion:

string code = manager.GeneratePasswordResetToken(user.Id);
code = HttpUtility.UrlEncode(code);

And then when I'm ready to read it back:

string code = IdentityHelper.GetCodeFromRequest(Request);
code = HttpUtility.UrlDecode(code);

To be quite honest, I'm surprised that it isn't being properly encoded in the first place.

Shiest answered 30/12, 2014 at 23:26 Comment(2)

It only needs to be encoded when it is used as a query string value for a reset link. It's possible to use it without encoding if you are providing a password reset form inside of an application where the code gets passed as a hidden value or something similar. – Kaceykachina 17/7, 2015 at 22:18

Hey Sr. Thanks by your light! I did it in the following way in ASP.NET Core 5.0: Encoding.UTF8.GetString(Convert.FromBase64String(code)); – Norenenorfleet 11/3, 2021 at 20:1

In my case, our AngularJS app converted all plus signs (+) to empty spaces (" ") so the token was indeed invalid when it was passed back.

To resolve the issue, in our ResetPassword method in the AccountController, I simply added a replace prior to updating the password:

code = code.Replace(" ", "+");
IdentityResult result = await AppUserManager.ResetPasswordAsync(user.Id, code, newPassword);

I hope this helps anyone else working with Identity in a Web API and AngularJS.

Chivaree answered 2/11, 2015 at 18:34 Comment(3)

For a more formal approach, I would recommend

var callbackUrl = new Uri(Request.RequestUri, RequestContext.VirtualPathRoot).AbsoluteUri + $"#/resetPassword?username={WebUtility.UrlEncode(user.UserName)}&code={WebUtility.UrlEncode(code)}";

to correctly url encode username and code to a client page (for example Angular) to let the user set password and finalize request – Charinile 26/1, 2016 at 19:53

The default token is base64 encoded, which is not URL safe and requires URL encoding. You can override or wrap the token provider, and return base64url encoded tokens instead, avoiding the special characters like you did already. – Garrett 22/3, 2017 at 6:53

It does this for '+" only or any other also – Calendar 31/7, 2023 at 10:23

tl;dr: Register custom token provider in aspnet core 2.2 to use AES encryption instead of MachineKey protection, gist: https://gist.github.com/cyptus/dd9b2f90c190aaed4e807177c45c3c8b

i ran into the same issue with aspnet core 2.2, as cheny pointed out the instances of the token provider needs to be the same. this does not work for me because

i got different API-projects which does generate the token and receive the token to reset password
the APIs may run on different instances of virtual machines, so the machine key would not be the same
the API may restart and the token would be invalid because it is not the same instance any more

i could use services.AddDataProtection().PersistKeysToFileSystem(new DirectoryInfo("path")) to save the token to the file system and avoid restart and multiple instance sharing issues, but could not get around the issue with multiple projects, as each project generates a own file.

the solution for me is to replace the MachineKey data protection logic with an own logic which does use AES then HMAC to symmetric encrypt the token with a key from my own settings which i can share across machines, instances and projects. I took the encryption logic from Encrypt and decrypt a string in C#? (Gist: https://gist.github.com/jbtule/4336842#file-aesthenhmac-cs) and implemented a custom TokenProvider:

    public class AesDataProtectorTokenProvider<TUser> : DataProtectorTokenProvider<TUser> where TUser : class
    {
        public AesDataProtectorTokenProvider(IOptions<DataProtectionTokenProviderOptions> options, ISettingSupplier settingSupplier)
            : base(new AesProtectionProvider(settingSupplier.Supply()), options)
        {
            var settingsLifetime = settingSupplier.Supply().Encryption.PasswordResetLifetime;

            if (settingsLifetime.TotalSeconds > 1)
            {
                Options.TokenLifespan = settingsLifetime;
            }
        }
    }

    public class AesProtectionProvider : IDataProtectionProvider
    {
        private readonly SystemSettings _settings;

        public AesProtectionProvider(SystemSettings settings)
        {
            _settings = settings;

            if(string.IsNullOrEmpty(_settings.Encryption.AESPasswordResetKey))
                throw new ArgumentNullException("AESPasswordResetKey must be set");
        }

        public IDataProtector CreateProtector(string purpose)
        {
            return new AesDataProtector(purpose, _settings.Encryption.AESPasswordResetKey);
        }
    }

    public class AesDataProtector : IDataProtector
    {
        private readonly string _purpose;
        private readonly SymmetricSecurityKey _key;
        private readonly Encoding _encoding = Encoding.UTF8;

        public AesDataProtector(string purpose, string key)
        {
            _purpose = purpose;
            _key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(key));
        }

        public byte[] Protect(byte[] userData)
        {
            return AESThenHMAC.SimpleEncryptWithPassword(userData, _encoding.GetString(_key.Key));
        }

        public byte[] Unprotect(byte[] protectedData)
        {
            return AESThenHMAC.SimpleDecryptWithPassword(protectedData, _encoding.GetString(_key.Key));
        }

        public IDataProtector CreateProtector(string purpose)
        {
            throw new NotSupportedException();
        }
    }

and the SettingsSupplier i use in my project to supply my settings

    public interface ISettingSupplier
    {
        SystemSettings Supply();
    }

    public class SettingSupplier : ISettingSupplier
    {
        private IConfiguration Configuration { get; }

        public SettingSupplier(IConfiguration configuration)
        {
            Configuration = configuration;
        }

        public SystemSettings Supply()
        {
            var settings = new SystemSettings();
            Configuration.Bind("SystemSettings", settings);

            return settings;
        }
    }

    public class SystemSettings
    {
        public EncryptionSettings Encryption { get; set; } = new EncryptionSettings();
    }

    public class EncryptionSettings
    {
        public string AESPasswordResetKey { get; set; }
        public TimeSpan PasswordResetLifetime { get; set; } = new TimeSpan(3, 0, 0, 0);
    }

finally register the provider in Startup:

 services
     .AddIdentity<AppUser, AppRole>()
     .AddEntityFrameworkStores<AppDbContext>()
     .AddDefaultTokenProviders()
     .AddTokenProvider<AesDataProtectorTokenProvider<AppUser>>(TokenOptions.DefaultProvider);


 services.AddScoped(typeof(ISettingSupplier), typeof(SettingSupplier));

//AESThenHMAC.cs: See https://gist.github.com/jbtule/4336842#file-aesthenhmac-cs

Volatilize answered 29/5, 2019 at 7:34 Comment(0)

string code = _userManager.GeneratePasswordResetToken(user.Id);

                code = HttpUtility.UrlEncode(code);

//send rest email

do not decode the code

var result = await _userManager.ResetPasswordAsync(user.Id, model.Code, model.Password);

Taciturn answered 29/4, 2015 at 16:47 Comment(3)

Your comment to not decode the code does not work for me. Only decoding the code will result in success. – Diplomatic 15/11, 2015 at 19:17

@AaronHudon Probably dependent on whether you're sending it through the url string or in the request body (post). – Winy 27/5, 2017 at 12:5

It seems to depend on if your using WebAPI or MVC controllers. The model Binder on the MVC controller URL Decodes it by default! – Makassar 7/9, 2018 at 1:20

Insipired by the soluion #3 posted by @cheny, I realized that if you use the same UserManager instance the generated code is accepted. But in a real scenario, the validation code happens in a second API call after the user clicks on the email link. It means that a new instance of the UserManager is created and it is unable to verify the code generated by the first instance of the first call. The only way to make it work is to be sure to have the SecurityStamp column in the database user table. Registering the class that's using the UserManager as singleton throws an exception at the application startup because the UserManager class is automatically registered with a Scoped lifetime

Matrilocal answered 15/7, 2020 at 12:0 Comment(1)

Thank you, I filled SecurityStamp column in my users table and it fixed my problem. – Agama 27/2, 2022 at 19:45

Here is what I did: Decode Token after encoding it for URL (in short)

First I had to Encode the User GenerateEmailConfirmationToken that was generated. (Standard above advice)

    var token = await userManager.GenerateEmailConfirmationTokenAsync(user);
    var encodedToken = HttpUtility.UrlEncode(token);

and in your controller's "Confirm" Action I had to decode the Token before I validated it.

    var decodedCode = HttpUtility.UrlDecode(mViewModel.Token);
    var result = await userManager.ConfirmEmailAsync(user,decodedCode);

Kenon answered 7/3, 2018 at 13:27 Comment(0)

Here I've the same problem but after a lot of time I found that in my case the invalid token error was raised by the fact that my custom Account class has the Id property re-declared and overridden.

Like that:

 public class Account : IdentityUser
 {
    [ScaffoldColumn(false)]
    public override string Id { get; set; } 
    //Other properties ....
 }

So to fix it I've just removed that property and generated again the database schema just to be sure.

Removing this solves the problem.

Eraste answered 6/7, 2018 at 16:27 Comment(0)

Hit this issue with asp.net core and after a lot of digging I realised I'd turned this option on in Startup:

services.Configure<RouteOptions>(options =>
{
    options.LowercaseQueryStrings = true;
});

This of course invalidated the token that was in the query string.

Gentille answered 22/10, 2019 at 18:29 Comment(1)

EXACTLY!!! You saved my day, thank you. – Pyriphlegethon 2/10, 2021 at 23:51

The following solution helped me in WebApi:

Registration

var result = await _userManager.CreateAsync(user, model.Password);

if (result.Succeeded) {
EmailService emailService = new EmailService();
var url = _configuration["ServiceName"];
var token = await _userManager.GenerateEmailConfirmationTokenAsync(user);
var encodedToken = HttpUtility.UrlEncode(token);

// .Net Core 2.1, Url.Action return null
// Url.Action("confirm", "account", new { userId = user.Id, code = token }, protocol: HttpContext.Request.Scheme);
var callbackUrl = _configuration["ServiceAddress"] + $"/account/confirm?userId={user.Id}&code={encodedToken}";
var message = emailService.GetRegisterMailTemplate(callbackUrl, url);

await emailService.SendEmailAsync( model.Email, $"please confirm your registration {url}", message );
}

Confirm

[Route("account/confirm")]
[AllowAnonymous]
[HttpGet]
public async Task<IActionResult> ConfirmEmail(string userId, string code) {
  if (userId == null || code == null) {
    return Content(JsonConvert.SerializeObject( new { result = "false", message = "data is incorrect" }), "application/json");
  }

  var user = await _userManager.FindByIdAsync(userId);
  if (user == null) {
    return Content(JsonConvert.SerializeObject(new { result = "false", message = "user not found" }), "application/json");
  }

  //var decodedCode = HttpUtility.UrlDecode(code);
  //var result = await _userManager.ConfirmEmailAsync(user, decodedCode);

  var result = await _userManager.ConfirmEmailAsync(user, code);

  if (result.Succeeded)
    return Content(JsonConvert.SerializeObject(new { result = "true", message = "ок", token = code }), "application/json");
  else
    return Content(JsonConvert.SerializeObject(new { result = "false", message = "confirm error" }), "application/json");
}

Bearer answered 25/12, 2019 at 19:0 Comment(1)

wonderful var encodedToken = HttpUtility.UrlEncode(token); did the magic – Arnaldo 30/4, 2020 at 19:21

Make sure when generate, you use:

GeneratePasswordResetTokenAsync(user.Id)

And confirm you use:

ResetPasswordAsync(user.Id, model.Code, model.Password)

If you make sure you are using the matching methods, but it still doesn't work, please verify that user.Id is the same in both methods. (Sometimes your logic may not be correct because you allow using same email for registry, etc.)

Lalalalage answered 20/10, 2014 at 5:16 Comment(0)

Maybe this is an old thread but, just for the case, I've been scratching my head with the random occurrence of this error. I've been checking all threads about and verifying each suggestion but -randomly seemed- some of the codes where returned as "invalid token". After some queries to the user database I've finally found that those "invalid token" errors where directly related with spaces or other non alphanumerical characters in user names. Solution was easy to find then. Just configure the UserManager to allow those characters in user's names. This can be done just after the user manager create event, adding a new UserValidator setting to false the corresponding property this way:

 public static UserManager<User> Create(IdentityFactoryOptions<UserManager<User>> options, IOwinContext context)
    {
        var userManager = new UserManager<User>(new UserStore());

        // this is the key 
        userManager.UserValidator = new UserValidator<User>(userManager) { AllowOnlyAlphanumericUserNames = false };


        // other settings here
        userManager.UserLockoutEnabledByDefault = true;
        userManager.MaxFailedAccessAttemptsBeforeLockout = 5;
        userManager.DefaultAccountLockoutTimeSpan = TimeSpan.FromDays(1);

        var dataProtectionProvider = options.DataProtectionProvider;
        if (dataProtectionProvider != null)
        {
            userManager.UserTokenProvider = new DataProtectorTokenProvider<User>(dataProtectionProvider.Create("ASP.NET Identity"))
            {
                TokenLifespan = TimeSpan.FromDays(5)
            };
        }

        return userManager;
    }

Hope this could help "late arrivals" like me!

Unprepared answered 13/1, 2016 at 23:11 Comment(1)

Concerning the encoding/decoding to avoid spaces and other simbols interference I'm using this proposal that works like a charm: #27535733 – Unprepared 14/1, 2016 at 10:58

Make sure that the token that you generate doesn't expire rapidly - I had changed it to 10 seconds for testing and it would always return the error.

    if (dataProtectionProvider != null) {
        manager.UserTokenProvider =
           new DataProtectorTokenProvider<AppUser>
              (dataProtectionProvider.Create("ConfirmationToken")) {
               TokenLifespan = TimeSpan.FromHours(3)
               //TokenLifespan = TimeSpan.FromSeconds(10);
           };
    }

Morven answered 26/10, 2017 at 1:48 Comment(0)

We have run into this situation with a set of users where it was all working fine. We have isolated it down to Symantec's email protection system which replaces links in our emails to users with safe links that go to their site for validation and then redirects the user to the original link we sent.

The problem is that they are introducing a decode... they appear to do a URL Encode on the generated link to embed our link as a query parameter to their site but then when the user clicks and clicksafe.symantec.com decodes the url it decodes the first part they needed to encode but also the content of our query string and then the URL that the browser gets redirected to has been decoded and we are back in the state where the special characters mess up the query string handling in the code behind.

Limemann answered 31/1, 2018 at 21:46 Comment(0)

In my case, I just need to do HttpUtility.UrlEncode before sending an email. No HttpUtility.UrlDecode during reset.

Read answered 25/3, 2018 at 3:18 Comment(0)

Related to chenny's 3. Different instances of token providers .

In my case I was passing IDataProtectionProvider.Create a new guid every time it got called, which prevented existing codes from being recognized in subsequent web api calls (each request creates its own user manager).

Making the string static solved it for me.

private static string m_tokenProviderId = "MyApp_" + Guid.NewGuid().ToString();
...
manager.UserTokenProvider =
  new DataProtectorTokenProvider<User>(
  dataProtectionProvider.Create(new string[1] { m_tokenProviderId } ))
  {
      TokenLifespan = TimeSpan.FromMinutes(accessTokenLifespan)
  };

Orvalorvan answered 29/9, 2019 at 14:48 Comment(0)

In case anyone runs into this, it turns out that the token was not URL-friendly, and so I had to wrap it in a HttpUtility.UrlEncode() like so:

var callback = Url.Content($"{this.Request.Scheme}://{this.Request.Host}{this.Request.PathBase}/reset-password?token={HttpUtility.UrlEncode(token)}&email={user.Email}");

Hiltan answered 2/7, 2020 at 3:58 Comment(0)

I have solved "Invalid Token" issue most of described hints. Here is my solution for blazor project. The core is in StringExtensions class.

Generating email when user is registering his/her email:

user = new IdentityUser { UserName = email, Email = email };
var createUser = await _userManager.CreateAsync(user, password);
 if (createUser.Succeeded)
  {
      var code = await _userManager.GenerateEmailConfirmationTokenAsync(user);
      var baseUri = NavMgr.BaseUri;
      var setNewPasswordUri = baseUri + "confirm-password";
      var urlWithParams = StringExtensions.GenerateUrl(token, emailTo, url);
      await SendAsync( urlWithParams  );   // use your own Email solution send the email
  }

Email confirmation (user clicks on the link in the mail)

@page  "/confirm-email"
 
<h3>Confirm email</h3>
 
@Error

        [Inject]
        UserManager<IdentityUser> UserMgr { get; set; }
 
        [Inject] 
        NavigationManager NavMgr { get; set; }
 
 
        protected override Task OnInitializedAsync()
        {
            var url = NavMgr.Uri;
            Token = StringExtensions.GetParamFromUrl(url, "token");
            Email = StringExtensions.GetParamFromUrl(url, "email");
            log.Trace($"Initialised with email={Email} , token={Token}");
            return ActivateEmailAsync();
        }
 
 
        private async Task ActivateEmailAsync()
        {
            isProcessing = true;
            Error = null;
 
            log.Trace($"ActivateEmailAsync started for {Email}");
            isProcessing = true;
            Error = null;
 
            try
            {
                var user = await UserMgr.FindByEmailAsync(Email);
                if (user != null)
                {
                        if (!string.IsNullOrEmpty(Token))
                        {
                            var result = await UserMgr.ConfirmEmailAsync(user, Token);
                            if (result.Succeeded)
                            {
// Show user , that account is activated
                            }
                            else
                            {
                                foreach (var error in result.Errors)
                                {
                                    Error += error.Description;
                                }
                                log.Error($"Setting new password failed for {Email} due to the: {Error}");
                            }
                        }
                        else
                        {
                            log.Error("This should not happen. Token is null or empty");
                        }
                }
 
            }
            catch (Exception exc)
            {
                Error = $"Activation failed";
            }
            isProcessing = false;
        }

 public static class StringExtensions
    {
        /// <summary>
        /// Encode string to be safe to use it in the URL param
        /// </summary>
        /// <param name="toBeEncoded"></param>
        /// <returns></returns>
        public static string Encode(string toBeEncoded)
        {
            var result = WebEncoders.Base64UrlEncode(Encoding.UTF8.GetBytes(toBeEncoded));
            return result;
        }
 
        /// <summary>
        /// Decode from the url safe string the original value
        /// </summary>
        /// <param name="toBeDecoded"></param>
        /// <returns></returns>
        public static string Decode(string toBeDecoded)
        {
            var decodedBytes = WebEncoders.Base64UrlDecode(toBeDecoded);
            var result = Encoding.UTF8.GetString(decodedBytes);
            return result;
        }
 
 
        public static string GenerateUrl(string token, string emailTo, string baseUri, string tokenParamName = "token", string emailParamName = "email")
        {
            var tokenEncoded = StringExtensions.Encode(token);
            var emailEncoded = StringExtensions.Encode(emailTo);
            var queryParams = new Dictionary<string, string>();
            queryParams.Add(tokenParamName, tokenEncoded);
            queryParams.Add(emailParamName, emailEncoded);
            var urlWithParams = QueryHelpers.AddQueryString(baseUri, queryParams);
            return urlWithParams;
        }
 
 
        public static string GetParamFromUrl(string uriWithParams, string paramName)
        {
            var uri = new Uri(uriWithParams, UriKind.Absolute);
            var result = string.Empty;
 
            if (QueryHelpers.ParseQuery(uri.Query).TryGetValue(paramName, out var paramToken))
            {
                var queryToken = paramToken.First();
                result  = StringExtensions.Decode(queryToken);
            }
            return result;
        }

Toname answered 8/12, 2021 at 8:21 Comment(0)

I have experienced Invalid token in Reset password scenario. The root cause was, that I was generating reset token for for incorrect IndentityUser. It can be spotted easily in simplified code, but it it took me some to fix it time in more complex code.

I should have used the code:

 var user = await UserMgr.FindByEmailAsync(Model.Email);
 string resetToken = await _userManager.GeneratePasswordResetTokenAsync(user);

But I was wrongly ( creating another IndentityUser).

 // This is example "How it should not be done"
 var user = await UserMgr.FindByEmailAsync(Model.Email);
 
 user = new IdentityUser { UserName = email, Email = email };  // This must not be her !!!! We need to use user found by UserMgr.FindByEmailAsync(Model.Email);
 string resetToken = await _userManager.GeneratePasswordResetTokenAsync(user);

Complete simplified code is here:

private async Task GenerateResetToken()
{
    var user = await UserMgr.FindByEmailAsync(Model.Email);
    if (user == null)
    {
        Model.Error = "Not registered";
    }
    else
    {
        try
        {
            var _userManager = SignInMgr.UserManager;

            UserMgr.FindByEmailAsync(Model.Email);
            string resetToken = await _userManager.GeneratePasswordResetTokenAsync(user);
            if (resetToken == null)
            {
                log.Error("Cannot get token from GeneratePasswordResetTokenAsync");
            }
            else
            {
                // Reset token generated. Send email to user
            }

        }
        catch (Exception exc)
        {
            log.Error(exc, $"Password reset failed  due to the {exc.Message}");
        }
    }
}

Toname answered 2/1, 2022 at 5:55 Comment(0)

I faced same issue if I click on reset link that I got in email after 10 mins. The DataProtectionTokenProviderOptions --> TokenLifespan was set to 10 mins.

I changed DataProtectionTokenProviderOptions --> TokenLifespan to 2 hrs.

Now if I click on link I got in email within 2hrs then it worked. If I click on link after 2hrs then I am getting Invalid Token issue.

Revet answered 8/8, 2023 at 10:21 Comment(0)

-1

My problem was that there was a typo in the email containing the ConfirmationToken:

<p>Please confirm your account by <a [email protected]'>clicking here</a>.</p>

This meant the extra apostrophe was appended to the end of the ConfirmationToken.

D'oh!

Libnah answered 28/3, 2019 at 3:9 Comment(0)

-1

My issue was that I was missing a <input asp-for="Input.Code" type="hidden" /> control in my Reset Password form

<form role="form" method="post">
<div asp-validation-summary="All" class="text-danger"></div>
<input asp-for="Input.Code" type="hidden" />

Enfeeble answered 27/4, 2019 at 21:51 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

1. URL-Encoding issues (if problem occurring "randomly")

2. Non-matching methods (email vs password tokens)

3. Different instances of token providers

Recommended topics

Hot tags