I'm having a hard time trying to understand the correct way to configure IUserTokenProvider
for my UserManager
in my identity server. My goal with this is to be able to reset a user's password.
First, I understand that I need to configure a provider such as:
var provider = new DpapiDataProtectionProvider("MyAppName");
but I'm not sure where I should put this code. Would it be on my UserManager
constructor?
This is how my constructor looks like right now, but it doesn't seems to be right, otherwise, how would I change the purpose for the validation and creation?
public UserManager(UserStore store)
: base(store)
{
var provider = new DpapiDataProtectionProvider("MyAppName");
UserTokenProvider = new DataProtectorTokenProvider<User>(provider.Create("EmailConfirmation"));
}
And one last question, does this provider automatically handle situations where a token was successfully used before in order to protect against further malicious requests?
PS: I'm using EntityFramework behind it.
You could do something like this if it's a public property (this is how a lot of Identity examples handle it).
var provider = new DpapiDataProtectionProvider("MyAppName");
var userManager = new UserManager(userStore)
{
UserTokenProvider = new DataProtectorTokenProvider<User>(provider.Create("EmailConfirmation"))
};
And as for the last question, if you're using the EntityFramework (or any implementation that supports SecurityStamps for that matter), yes you are protected. What is ASP.NET Identity's IUserSecurityStampStore<TUser> interface? is a good starting reference for understanding SecurityStamps.