C
C#4mo ago
honk

ASP.NET Core 5 Identity reset password token is randomly invalid

Using IdentityServer4 + ASP.NET Core Identity with .NET 5. Our password reset endpoint throws errors, however, if I re-send the request a few times (the exact same request), it works again. Here's a summary of our process: after the user verifies, I generate the password reset token like this: var token = await _userManager.GeneratePasswordResetTokenAsync(user); Then I pass this token to the front end, which sends this token to the password reset endpoint, where this token is validated: 
csharp 
// removed rest of the code for brevity
if (user == null)
{
    throw new CustomException(UserNotFoundException);
}
var isValid = await userManager.VerifyUserTokenAsync(user, userManager.Options.Tokens.PasswordResetTokenProvider, "ResetPassword", token);
if (!isValid)
{
    throw new CustomException(InvalidTokenException);
}
return isValid;
csharp 
// removed rest of the code for brevity
if (user == null)
{
    throw new CustomException(UserNotFoundException);
}
var isValid = await userManager.VerifyUserTokenAsync(user, userManager.Options.Tokens.PasswordResetTokenProvider, "ResetPassword", token);
if (!isValid)
{
    throw new CustomException(InvalidTokenException);
}
return isValid;
The VerifyUserTokenAsync method returns false most of the time, but after several retries (between 2 to 10 tries), it eventually works. This issue only occurs in our production environment; our testing environments do not exhibit this problem. The issue seems isolated to the PasswordResetTokenProvider, as our custom OTP provider functions correctly without failure. Steps I've taken so far: Verified that the token generated by GeneratePasswordResetTokenAsync and the token sent in the request are identical. Ensured the token is sent in the request body to prevent encoding/decoding mismatches. Confirmed that the SecurityStamp is not null during the process. Any idea what could be causing this? at this point I'm feeling lost and don't know where to look. One suspicion I have, is that there might be several instances of our identity app running, and that maybe causing the issue (although I don't know if that would cause an issue in the first place). I'd be happy to provide more code if needed. (reposted from SO, as I got no answers there :harold: ) Thanks!
1 Reply
V0FBU1VM
V0FBU1VM4mo ago
@honk Are you calling 
await userManager.ResetPasswordAsync(user, token, newPassword);
await userManager.ResetPasswordAsync(user, token, newPassword);
it will automatically check if the token is valid and process it. Just a tip, why not just email a callback url. The user clicks on the link, it sends the user to the reset password page.
Want results from more Discord servers?
Add your server