saving the Identity token in the Aspnetusertokens table

Marnelle M'BENGUET 20

Hi I created an Asp.net core 6 project and I added the Identity framework for authentication and authorization, I would like to add token management and while doing research I realized that Identity also manages the management of tokens because it generates them at each authentication thanks to the command ".AddDefaultTokenProviders();" in startup.cs but I would like to save these tokens in the database precisely in the Aspnetusertokens table of Identity, so I added a TokenController controller which will help me do it, here is what I have in this controller 

"using Projet.Data;

AgaveJoe 1,495 Reputation points

2023-11-07T11:31:33.33+00:00

Hi I created an Asp.net core 6 project and I added the Identity framework for authentication and authorization, I would like to add token management and while doing research I realized that Identity also manages the management of tokens because it generates them at each authentication thanks to the command ".AddDefaultTokenProviders();" in startup.cs but I would like to save these tokens in the database precisely in the Aspnetusertokens table of Identity, so I added a TokenController controller which will help me do it, here is what I have in this controller

AddDefaultTokenProviders() does not generate an authentication token. The AddDefaultTokenProviders() extension generates tokens for reset passwords, change email and change telephone number operations, and for two factor authentication token generation. The token is stored in a cookie and validated against a token in a URL.

Can you explain the high level problem you are trying to solve? Also, can you share the code, explain how you expect the code to work and how the code actually works?

4 answers

Bruce (SqlWork.com) 57,401 Reputation points

2024-04-19T17:49:47.45+00:00

the tokens expire. you only need the last created.

in general they are intended for one time use. generate the token and save. send email, with token on url. the user must click the link before the token expires. if expired they must ask for new email link. only the lastest email link should work.

this is different from caching access and refresh tokens which you might want if using external oauth server.
Please sign in to rate this answer.

1 person found this answer helpful.
Angel Tobon 0 Reputation points

2024-04-22T01:50:42.5933333+00:00

Thank you very much brother, I thought that the UserTokens table was a kind of log for the tokens, in any case I could or could not make an aggregate for the logs, that is, in UserTokens it saves the last generated and available token, and in the logs all the used ones?, grateful it's little brother

Bruce (SqlWork.com) 57,401 Reputation points

2024-04-22T17:33:40.5033333+00:00

when a user email/phone validation token is emailed or texted to a user, it will be a new request that sends the token. to verify the token it needs to be saved somewhere.

these are different tokens from id and access tokens.

Angel Tobon 0 Reputation points

2024-04-22T19:47:42.9333333+00:00

oh ok I understand, receiving a clarification, we have these methods which generate a verification token:

await _userManager.GenerateChangeEmailTokenAsync();

await _userManager.GenerateChangePhoneNumberTokenAsync();

await _userManager.GenerateEmailConfirmationTokenAsync();

await _userManager.GeneratePasswordResetTokenAsync();

await _userManager.GenerateNewAuthenticatorKey();

await _userManager.GenerateNewTwoFactorRecoveryCodesAsync();

await _userManager.GenerateTwoFactorTokenAsync();

await _userManager.GenerateUserTokenAsync();

Taking this into account, these confirmation tokens are saved in UserTokens, and the login token to the JWT application is saved in a different table that can be called UserLogs Therefore, your method would be something like this or am I wrong?

public async Task<IActionResult> Index() {

IdentityUser? user = await _userManager.FindByEmailAsync("email@gmail.com");

string? existingToken = await _userManager.GetAuthenticationTokenAsync(user, "MyLoginProvider", "MyToken");

if (existingToken != null) {

// if token exists we update await _userManager.SetAuthenticationTokenAsync(user, "MyLoginProvider", "MyToken", "123456ASDFGG"); }

else {

// if token does not exist we create IdentityResult result = await _userManager.SetAuthenticationTokenAsync(user, "MyLoginProvider", "MyToken", "123456ASDFGG"); }

string? token = await _userManager.GetAuthenticationTokenAsync(user, "MyLoginProvider", "MyToken");

return Ok(new { token = token });

}
Sign in to comment

Marnelle M'BENGUET 20

using Project.Data;
using Microsoft.AspNetCore.Identity;
using Microsoft.AspNetCore.Mvc;
using Project.Entities;

namespace Project.Controllers
{
    public class TokenController : Controller
    {
        private readonly UserManager<IdentityUser> _userManager;
        private readonly ARTFContext _context;
        public TokenController(UserManager<IdentityUser> userManager, ARTFContext context)
        {
            _userManager = userManager;
            _context = context;
        }
        [HttpPost]
        public async Task<IActionResult> GeneratePasswordResetToken(string userId)
        {
            var user = await _userManager.FindByIdAsync(userId);

            if (user != null)
            {
                var token = await _userManager.GeneratePasswordResetTokenAsync(user);

                // Enregistrer le token dans la base de données (table AspNetUserTokens)
                var userToken = new IdentityUserToken<string>
                {
                    UserId = user.Id,
                    LoginProvider = "Default",
                    Name = "PasswordResetToken",
                    Value = token
                };

                _context.UserTokens.Add(userToken);
                await _context.SaveChangesAsync();

                // Vous pouvez également envoyer le token par e-mail si nécessaire

                return Ok("Token de réinitialisation de mot de passe généré et enregistré avec succès");
            }
            return NotFound(); // Gérer le cas où l'utilisateur n'existe pas
        }

        [HttpPost]
        public async Task<IActionResult> GenerateEmailConfirmationToken(string userId)
        {
            var user = await _userManager.FindByIdAsync(userId);

            if (user != null)
            {
                var token = await _userManager.GenerateEmailConfirmationTokenAsync(user);

                // Enregistrer le token dans la base de données (table AspNetUserTokens)
                var userToken = new IdentityUserToken<string>
                {
                    UserId = user.Id,
                    LoginProvider = "Default",
                    Name = "EmailConfirmationToken",
                    Value = token
                };

                _context.UserTokens.Add(userToken);
                await _context.SaveChangesAsync();

                // Vous pouvez également envoyer le token par e-mail si nécessaire

                return Ok("Token de confirmation d'e-mail généré et enregistré avec succès");
            }

            return NotFound(); // Gérer le cas où l'utilisateur n'existe pas
        }
    }
}

Marnelle M'BENGUET 20 Reputation points

2023-11-07T11:28:03.9766667+00:00

but I have no record in the database yet the token is indeed generated because in my browser at the header level I have a token corresponding to my authentication information which is generated, someone can help me understand where the problem is coming from?

THANKS

sorry for presenting my problem to you in several sections like that I did it so that it doesn't seem too long otherwise it's the same question
Please sign in to rate this answer.
Farid Uddin Kiron MSFT 456 Reputation points Microsoft Vendor

2023-11-13T09:36:54.9066667+00:00

Hello, does your problem got resolved? Do you have any further concern on this?

Marnelle M'BENGUET 20 Reputation points

2023-11-14T07:19:23.3266667+00:00

No, my problem has not been resolved I have not yet received a response from the team I am still waiting

Farid Uddin Kiron MSFT 456 Reputation points Microsoft Vendor

2023-11-21T07:34:54.2366667+00:00

Alright, thanks for your response, May I know where exactly you stuck now? So that I can try assisting you. Please share about your current concern.
Sign in to comment

AgaveJoe 1,495

Example of saving data to the AspNetUserTokens table.

public async Task<IActionResult> Index()
{
    IdentityUser? user = await _userManager.FindByEmailAsync("email@gmail.com");

    if (await _userManager.GetAuthenticationTokenAsync(user, "MyLoginProvider", "MyToken") == null)
    {
        IdentityResult result = await _userManager.SetAuthenticationTokenAsync(user, "MyLoginProvider", "MyToken", "123456ASDFGG");
    }
            
    string? token = await _userManager.GetAuthenticationTokenAsync(user, "MyLoginProvider", "MyToken");


    return Ok(new { token = token });
}

Marnelle M'BENGUET 20 Reputation points

2023-11-20T17:13:21.92+00:00

Okay I'll test it right now and then I'll get back to you
Marnelle M'BENGUET 20 Reputation points

2023-11-20T17:14:43.83+00:00

Does the e-mail address retrieve it from the database where it is hardened in the code? That is what I seem to understand
AgaveJoe 1,495 Reputation points

2023-11-20T18:39:56.3333333+00:00

Does the e-mail address retrieve it from the database where it is hardened in the code?

The code sample simply illustrates how to set and get a token from the AspNetUserTokens table using the UserManager.

The email address is arbitrary. I used the email address to fetch a user from the database because the GetAuthenticationTokenAsync() and SetAuthenticationTokenAsync() methods define an IdentityUser input. You can use whatever method you like to populate an IdentityUser.

Also, you can update the AspNetUserTokens directly using LINQ.

Angel Tobon 0

I have a question, when saving the token after the email, let's say, I am an Angel user and I register, they send me the email but "I do not confirm" when I log in it sends me another email because first I have to confirm and "I do not confirm" and I try again and it sends me the email again, so I have already generated 3 tokens so I don't understand if I should save the 3 tokens or just the token with which the email was actually confirmed, the same with resetpassword, change email and change password for each user, that is, let's say every time I update the password or email, I update the value or generate another row of data.

here, when you are going to generate the token :

        public async Task<LoginServiceResponseDto?> LoginAsync(LoginDto loginDto)
        {
            LoginServiceResponseDto response = new LoginServiceResponseDto();

            User user = await _userManager.FindByEmailAsync(loginDto.Email);
            if (user is null)
            {
                return null;
            }

            var isPasswordCorrect = await _userManager.CheckPasswordAsync(user, loginDto.Password);

            if (!isPasswordCorrect)
            {
                return null;
            }

            var isCorrectSignIn = await _signInManager.PasswordSignInAsync(
                user,
                loginDto.Password,
                loginDto.RememberLogin ?? false,
                false);

            if (!isCorrectSignIn.Succeeded)
            {
                await SendEmailConfirmationTokenAsync(user,loginDto.LoginProvider);

                response.userInfo = null;
                response.NewToken = "RCE";
                return response;
            }

            //var userLogins = await _userManager.GetLoginsAsync(user);
            //Console.WriteLine(userLogins);

            if (loginDto.LoginProvider != "Local" || loginDto.Subject is not null)
            {
                var isUserLoginWithSocialNetwork = await _userManager.FindByLoginAsync(loginDto.LoginProvider!, loginDto.Subject!);
                if (isUserLoginWithSocialNetwork is null)
                {
                    var addLoginResult = await _userManager.AddLoginAsync(user, new UserLoginInfo(loginDto.LoginProvider!, loginDto.Subject!, loginDto.LoginProvider!));
                }
            }

                

            var newToken = await GenerateJWTTokenAsync(user);
            var roles = await _userManager.GetRolesAsync(user);
            var userInfo = GenerateUserInfoObject(user, roles);

            await _logService.SaveNewLog(user.UserName, "New Login");

            response.userInfo = userInfo;
            response.NewToken = newToken;
            return response;

        }
```or here, when you are going to reset the token:

```typescript
   public async Task<GeneralServiceResponseDto> ConfirmUserAsync(string userId, string code)
   {
       GeneralServiceResponseDto response = new GeneralServiceResponseDto();

       if (userId == null || code == null)
       {
           response.IsSuccess = false;
           response.StatusCode = 400;
           response.Message = "Requiere de parametros obligatorios";
           return response;

       }

       var user = await _userManager.FindByIdAsync(userId);

       if(user is null)
       {
           response.IsSuccess = false;
           response.StatusCode = 408;
           response.Message = "User dont exist";
           return response;
       }

       var codeFormat = code.Replace("%2F", "/");

       var result = await _userManager.ConfirmEmailAsync(user , codeFormat);

       if (!result.Succeeded)
       {
           var errorString = "User Creation failed becasue";
           foreach (var error in result.Errors)
           {
               errorString += "#" + error.Description;
           }
           response.IsSuccess = false;
           response.StatusCode = 400;
           response.Message = errorString;
       }

       response.IsSuccess = true;
       response.StatusCode = 200;
       response.Message = "Confirm email";

       return response;
   }

Bruce (SqlWork.com) 57,401 Reputation points

2024-05-07T17:33:10.6366667+00:00

the default implementation does not save the email token. the token is based on the users securitystamp column (which is random string updated on any important change). it is encrypted with the rounded timestamp (system time). the validation just re-encrypts the securitystamp with the valid range of timestamps and compares.

note: the securitystamp is updated if verification is performed. that is, if the user verifies email, mfa, etc, the stamp is changed.