Asp.NET Identity 2 giving “Invalid Token” error

by

I encountered this problem and resolved it. There are several possible reasons.

1. URL-Encoding issues (if problem occurring “randomly”)

If this happens randomly, you might be running into url-encoding problems.
For unknown reasons, the token is not designed for url-safe, which means it might contain invalid characters when being passed through a url (for example, if sent via an e-mail).

In this case, HttpUtility.UrlEncode(token) and HttpUtility.UrlDecode(token) should be used.

As oão Pereira said in his comments, UrlDecode is not (or sometimes not?) required. Try both please. Thanks.

2. Non-matching methods (email vs password tokens)

For example: 

    var code = await userManager.GenerateEmailConfirmationTokenAsync(user.Id);

and

    var result = await userManager.ResetPasswordAsync(user.Id, code, newPassword);

The token generated by the email-token-provide cannot be confirmed by the reset-password-token-provider.

But we will see the root cause of why this happens.

3. Different instances of token providers

Even if you are using: 

var token = await _userManager.GeneratePasswordResetTokenAsync(user.Id);

along with

var result = await _userManager.ResetPasswordAsync(user.Id, HttpUtility.UrlDecode(token), newPassword);

the error still could happen.

My old code shows why:

public class AccountController : Controller
{
    private readonly UserManager _userManager = UserManager.CreateUserManager(); 

    [AllowAnonymous]
    [HttpPost]
    public async Task<ActionResult> ForgotPassword(FormCollection collection)
    {
        var token = await _userManager.GeneratePasswordResetTokenAsync(user.Id);
        var callbackUrl = Url.Action("ResetPassword", "Account", new { area = "", UserId = user.Id, token = HttpUtility.UrlEncode(token) }, Request.Url.Scheme);

        Mail.Send(...);
    }

and:

public class UserManager : UserManager<IdentityUser>
{
    private static readonly UserStore<IdentityUser> UserStore = new UserStore<IdentityUser>();
    private static readonly UserManager Instance = new UserManager();

    private UserManager()
        : base(UserStore)
    {
    }

    public static UserManager CreateUserManager()
    {
        var dataProtectionProvider = new DpapiDataProtectionProvider();
        Instance.UserTokenProvider = new DataProtectorTokenProvider<IdentityUser>(dataProtectionProvider.Create());

        return Instance;
    }

Pay attention that in this code, every time when a UserManager is created (or new-ed), a new dataProtectionProvider is generated as well. So when a user receives the email and clicks the link:

public class AccountController : Controller
{
    private readonly UserManager _userManager = UserManager.CreateUserManager();
    [HttpPost]
    [AllowAnonymous]
    [ValidateAntiForgeryToken]
    public async Task<ActionResult> ResetPassword(string userId, string token, FormCollection collection)
    {
        var result = await _userManager.ResetPasswordAsync(user.Id, HttpUtility.UrlDecode(token), newPassword);
        if (result != IdentityResult.Success)
            return Content(result.Errors.Aggregate("", (current, error) => current + error + "\r\n"));
        return RedirectToAction("Login");
    }

The AccountController is no longer the old one, and neither are the _userManager and its token provider. So the new token provider will fail because it has no that token in it’s memory.

Thus we need to use a single instance for the token provider. Here is my new code and it works fine:

public class UserManager : UserManager<IdentityUser>
{
    private static readonly UserStore<IdentityUser> UserStore = new UserStore<IdentityUser>();
    private static readonly UserManager Instance = new UserManager();

    private UserManager()
        : base(UserStore)
    {
    }

    public static UserManager CreateUserManager()
    {
        //...
        Instance.UserTokenProvider = TokenProvider.Provider;

        return Instance;
    }

and:

public static class TokenProvider
{
    [UsedImplicitly] private static DataProtectorTokenProvider<IdentityUser> _tokenProvider;

    public static DataProtectorTokenProvider<IdentityUser> Provider
    {
        get
        {

            if (_tokenProvider != null)
                return _tokenProvider;
            var dataProtectionProvider = new DpapiDataProtectionProvider();
            _tokenProvider = new DataProtectorTokenProvider<IdentityUser>(dataProtectionProvider.Create());
            return _tokenProvider;
        }
    }
}

It could not be called an elegant solution, but it hit the root and solved my problem.

More Related Contents:

  1. How do I forcefully propagate role changes to users with ASP.NET Identity 2.0.1?
  2. How do I export to Excel?
  3. How to get current user, and how to use User class in MVC5?
  4. Why new fb api 2.4 returns null email on MVC 5 with Identity and oauth 2?
  5. How to use Json.NET for JSON modelbinding in an MVC5 project?
  6. Do I need a Global.asax.cs file at all if I’m using an OWIN Startup.cs class and move all configuration there?
  7. ASP.Net MVC route to catch all *.aspx requests
  8. User in Entity type MVC5 EF6
  9. ASP.NET Identity change password
  10. How to add Web API to an existing ASP.NET MVC (5) Web Application project?
  11. Get UserID of logged-in user in Asp.Net MVC 5
  12. How to return a PDF from a Web API application
  13. How require authorization within whole ASP .NET MVC application
  14. Value cannot be null. Parameter name: items (in Dropdown List) ASP.NET MVC5
  15. No IUserTokenProvider is registered
  16. Login page on different domain
  17. How to write a simple Html.DropDownListFor()?
  18. converting a base 64 string to an image and saving it
  19. When should I use Async Controllers in ASP.NET MVC?
  20. How to fix “The ConnectionString property has not been initialized”
  21. ASP.NET MVC – How to show unauthorized error on login page?
  22. Calling a method in parent page from user control
  23. GridView bound with Properties of nested class
  24. Date vs DateTime
  25. ASP.NET C# Static Variables are global?
  26. The model item passed into the dictionary is of type ‘mvc.Models.ModelA’ but this dictionary requires a model item of type ‘mvc.Models.ModelB‘
  27. How to convert DataTable to class Object?
  28. call async method without await #2
  29. Find a control in a webform
  30. How to get the first five character of a String

Leave a Comment