Search code examples
tokenidentityverify

VerifyUserTokenAsync returns false when the user is not persisted

Considering PhoneNumber as my customized user's Username, I need only users whose phone number is verified to be able to Sign-Up. So I created a temp user and generated verification token for him/her and sent back the token to provided phone number as follows:

public Task Handle(SendSignupSmsRequest request)
{
   var user = new CustomUser { UserName = request.PhoneNumber, PhoneNumber = request.PhoneNumber };
   var token = await _userManager.GenerateUserTokenAsync(user, TokenOptions.DefaultPhoneProvider, "sign-up");

   // send token to provided phone number
}

In sign-up request handler, I tried to re-create the same temp user and verify the token as follows:

public Task Handle(SignupRequest request)
{
   var user = new CustomUser { UserName = request.PhoneNumber, PhoneNumber = request.PhoneNumber };
   var tokenVerified = await _userManager.VerifyUserTokenAsync(user, TokenOptions.DefaultPhoneProvider, "sign-up", request.Token);

   if (!tokenVerified)
      // do something;
   else
      // do something else
}

I see that tokenVerified is always False! I tried the following to find what is wrong with my code:
Verify token with the same temp user ====> successful verification

var user = new CustomUser { UserName = request.PhoneNumber, PhoneNumber = request.PhoneNumber };
var token = await _userManager.GenerateUserTokenAsync(user, TokenOptions.DefaultPhoneProvider, "sign-up");

var tokenVerified = await _userManager.VerifyUserTokenAsync(user, TokenOptions.DefaultPhoneProvider, "sign-up", request.Token);

Verify token with the new temp user created just like temp user ====> unsuccessful verification

var user = new CustomUser { UserName = request.PhoneNumber, PhoneNumber = request.PhoneNumber };
var token = await _userManager.GenerateUserTokenAsync(user, TokenOptions.DefaultPhoneProvider, "sign-up");
    
user = new CustomUser { UserName = request.PhoneNumber, PhoneNumber = request.PhoneNumber };
var tokenVerified = await _userManager.VerifyUserTokenAsync(user, TokenOptions.DefaultPhoneProvider, "sign-up", request.Token);
Solution

  • It all comes down to SecurityStamp!

    First, assign a temporal security stamp to user created in send sign-up sms request handler. Then in sign-up request handler set the same security stamp for the re-created user. Doing so, the token will be verified successfully.