In my application I have an administration area where users can be created and a default password is set (the password must no be visible to the user creating the account). Im doing this by using the usermanager.
var usermanager = context.GetOwinContext().GetUserManager<ApplicationUserManager>();
usermanager.Create(user, pass);
If the user was created a password reset token is created and send to the user by email.
string code = usermanager.GeneratePasswordResetToken(user.Id);
var url = string.Format("<a href='{0}?code={1}'>hier</a>", callBackUrl, HttpUtility.UrlEncode(code));
mail = CreateStudentEmailContent(context, repo, student, url, user.UserName);
usermanager.SendEmail(user.Id, mail.Subject, mail.Body);
Now the user receives the mail and clicks on the link which sends him to the password forgotten page in the public area where he can set a new password.
Administration area and public area are two seperate projects which will be hosted on different servers under different subdomains. When I test it locally with localhost and having different ports assigned to the areas everything works fine. But once I deploy the application to the servers I always get a "Token invalid" when I try to change the password using the link.
It seems the host is somehow encoded in the token and veryified when trying to reset the password.
Is there a setting which allows the token to be issued by another server or how can I solve this issue?
Unfortunately I've found no way to allow tokens from other servers. However, I solved the problem by requesting the token from the public server. As the server has access to the same aspnetusers table this works. I then send the mail from the internal server with the token created by the public server. As a security measure the request on the public server checks the IP of the sender and only returns a token if the IP is on a whitelist.