How to implement reset password functionality in asp.net core for an user who didn't sign in using asp.net core identity

Sherpa 161

I am working on a legacy Asp.Net Web Forms application which is nearly 18 years old. It uses a simple form based authentication where the users enter their username/password and the user is authenticated by matching the username/password saved in the Users table. Now I am tasked with creating a separate Asp.Net core 6.0 application with identity and razor pages which will be used to log into the above-mentioned old website and use two-factor authentication. I have created all the identity tables such as AspNetUsers using migrations. I also moved all the rows from the old Users table to this AspNetUsers table.

Now, when the old users try to log in, I will check that the username is present and it matches the old password they entered. There will be a separate column in the AspNetUsers table with the old password. After that, I want to direct them to the ChangePassword.cshtml razor page. The user probably should not be asked to enter the old password, since the cryptography used by the old application and the asp.net core identity will be different. When they enter the password and confirm the password textboxes, the password should be updated and they can now log in using the asp.net core identity. I would like to know how this can be achieved. Any help is greatly appreciated.

AgaveJoe 26,201 Reputation points

2024-03-26T09:37:24.7933333+00:00

Can you clarify the use case? Are you trying to create single sign on where many applications use a central authentication service? Or are you creating a separate web site only to leverage Identity's two-factor authentication?
Ben Gimblett 3,410 Reputation points Microsoft Employee

2024-03-26T09:43:16.0733333+00:00

Hi Sherpa - thanks for the question
I am a little unsure how you plan to make this work. If I understood from your question you simply want a new way to log in the user + MFA , continuing to use "individual user accounts" (using aspnet core 6 app and aspnet core identity) and once logged in they continue to use the old / existing app? is that correct?
Sherpa 161 Reputation points

2024-03-26T14:12:15.8933333+00:00

Please see my input above.
Sherpa 161 Reputation points

2024-03-26T14:17:33.5633333+00:00

Hi AgaveJoe and Ben,

Sorry, if my question was confusing. Let's not worry about the MFA or single sign on. I have moved several rows of user data from an old system to the AspNetUsers table. I have to make these users also to be able to log in using the Asp.Net core's identity. These users have value in the Email and username fields but the PasswordHash field is null. When these orphan users try to log in, they should redirected to the ResetPassword or any other similar page where they could create a new password and start log in using asp.net core's identity.

Thanks
AgaveJoe 26,201 Reputation points

2024-03-26T14:44:39.81+00:00

If I understand correctly, there are two different web applications. One uses forms auth with a custom user login table while the other uses cookie authentication with an Identity back end. You moved email and username from the old database to the new database. When user tries to login to the new application, you want the username to stay the same but the user must create a password for the new system.

It seems to me you should be able to query the user's username in the AspNetUsers table where the password hash is null or empty. If the password is empty but the username (and/or email) is found then redirect to a page where the user can enter a new password. Do you need help writing this query?

If you are not sure how to code the Razor Page, then scaffold the Identity Razor Pages and review the login page. You can do this in a separate test project. From there, all you're doing is replacing the username input with a hidden field. This assumes you want the user to have the same username in both web applications.

If you use case is you are using the new application to login to the old application then pass a token (encrypted string) containing the username and any other information the old app application needs to validate the user. The new application will store the same data in a newly designed table within either the old or new database. Next the new application will redirect to the old application passing the token in the URL's querystring. The old application will decrypt the token and use the information to lookup the data in the newly designed table. The table should contain an short lived expiration date. IF all works out on the old server then simply create a new forms auth cookie.

Sherpa 161

Hi AgaveJoe,

Thanks for your suggestions. I am doing something similar:

var user = await ApplicationUserManager.FindByUserCreatedUserNameAsync(_applicationUserManager, Input.UserCreatedUserName);
if (user == null)
{
var login = await eGrantsLogin.IsValidLogin(Input.UserCreatedUserName, Input.Password);
if (login.IsValidLogin)
{
    return RedirectToPage("./ResetPassword", new { ReturnUrl = returnUrl, RememberMe = Input.RememberMe });
}



```The first line of the above code tries to log in as if the user is an identity user. It will fail for those whose data I have manually moved to the AspNetUsers table. Since user == null, then it checks whether they have the correct old username and password. If so, it tries to send them to the ResetPassword.cshtml page where they could create a new identity based password and save it in the same row of the table. However when it tries to redirect to the ResetPassword.cshtml page, I am getting this error:


```yaml
A code must be supplied for password reset.

AgaveJoe 26,201 Reputation points

2024-03-26T15:30:27.8666667+00:00

Identity's ResetPassword Razor Page is the wrong approach because the page expects an authenticated user. Create a new Razor Page to to handle your custom use case.

If all you are trying to do is add MFA to an old application then I would just do that. It's much simpler than what you're trying to do.
Sherpa 161 Reputation points

2024-03-26T20:32:01.06+00:00

AgaveJoe,

I agree with you that I should use a custom razor page, instead of ResetPassword page. By any chance do you know how to manually create a passwordhash to be saved in the passwordhash column of the AspNetUsers table?

Thanks

1 answer

Bruce (SqlWork.com) 56,026 Reputation points

2024-03-26T15:58:13.95+00:00

the common approach is to store the old password hash in the new schema. at login if the old hash is not null, compute the hash from the password and compare. if a match, clear the old ash, and update the password (compute) the new hash.

if you do not have code to compute the hash, then you a conversion flag, if set, call a web service on the old site, that validates the user/password. if valid update the password on the new system.

if you scaffold the razor login page, you can make the required changes.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment