30

I'm writting MVC 5 and using Identity 2.0.

Now I m trying to reset password. But i always getting "invalid token" error for reset password token. 

 public class AccountController : Controller { public UserManager<ApplicationUser> UserManager { get; private set; } public AccountController() : this(new UserManager<ApplicationUser>(new UserStore<ApplicationUser>(new ApplicationDbContext()))) { }

and i set DataProtectorTokenProvider,

 public AccountController(UserManager<ApplicationUser> userManager) { //usermanager config userManager.PasswordValidator = new PasswordValidator { RequiredLength = 5 }; userManager.EmailService = new IddaaWebSite.Controllers.MemberShip.MemberShipComponents.EmailService(); var provider = new Microsoft.Owin.Security.DataProtection.DpapiDataProtectionProvider(); userManager.UserTokenProvider = new Microsoft.AspNet.Identity.Owin.DataProtectorTokenProvider<ApplicationUser>(provider.Create("UserToken")) as IUserTokenProvider<ApplicationUser, string>; UserManager = userManager; }

i generate password reset before sending mail

 [HttpPost] [ValidateAntiForgeryToken] public async Task<ActionResult> ManagePassword(ManageUserViewModel model) { if (Request.Form["email"] != null) { var email = Request.Form["email"].ToString(); var user = UserManager.FindByEmail(email); var token = await UserManager.GeneratePasswordResetTokenAsync(user.Id); //mail send } }

i click link in mail and i'm getting passwordreset token and using 

var result = await UserManager.ResetPasswordAsync(model.UserId, model.PasswordToken, model.NewPassword);

the result always false and it says "Invalid Token". Where should i fix ?

Improve this question
6
  • Where are you storing your generated tokens at? Commented Dec 23, 2014 at 10:09
  • 2
    @vgSefa In Identity the tokens are signed, means there's no need to store them somewhere. Erkan: Is a token generated? I don't think that the cast is necessary when setting the UserTokenProvider. Maybe something goes wrong there. Commented Dec 23, 2014 at 10:15
  • @Horizon_Net yes it genereted and try to remove castin. it still doesnt work Commented Dec 23, 2014 at 11:27
  • Just another idea: Is the email address of the appropriate user already confirmed? As mentioned here: The method fails silently if the user email has not been confirmed. If an error was posted for an invalid email address, malicious users could use that information to find valid userId (email aliases) to attack. Commented Dec 23, 2014 at 11:58
  • yes good point, thank you. i added email confirmed condition. Commented Dec 23, 2014 at 12:01

4 Answers 4

Reset to default
39

UserManager.GeneratePasswordResetTokenAsync() very often returns string that contains '+' characters. If you pass parameters by query string, this is the cause ('+' character is a space in query string in URL).

Try to replace space characters in model.PasswordToken with '+' characters.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Plus, append "==" add the end of the token in my case.
Or use WebUtility.UrlEncode(code) when sending the mail and WebUtility.UrDecode(Model.code) when handling the form
Be also aware of this answer: stackoverflow.com/a/13095475/453142 it was my case!!
i also the same issue i can't getting '==' in the last end from code so how can handle this i am code send via query string in the mail and i m also try this WebUtility.UrlEncode(code) in the mail send and getting time WebUtility.UrDecode(Model.code) using this but still getting issue and end of getting invalid token.
I also had problems with encoding and decoding. It helped me to first encode the token as Base64 and then decode it again when reading it in. For encoding / decoding the string see stackoverflow.com/questions/11743160/…
21 
[HttpPost] [ValidateAntiForgeryToken] publicasync Task<ActionResult> ManagePassword(ManageUserViewModel model) { if (Request.Form["email"] != null) { var email = Request.Form["email"].ToString(); var user = UserManager.FindByEmail(email); var token = await UserManager.GeneratePasswordResetTokenAsync(user.Id); //before send mail token = HttpUtility.UrlEncode(token); //mail send } }

And on password reset action decode token HttpUtility.UrlDecode(token);

Improve this answer

2 Comments

Don't forget to decode the token on reset like this: var result = await UserManager.ResetPasswordAsync(user.Id, HttpUtility.UrlDecode(code), user.Password);
This encoding/decoding was the part that was missing in my project and because of that my tokens sent via email wrer not working. Thanks!
13

I have found that the 'Invalid Token' error also occurs when the SecurityStamp column is NULL for the user in the AspNetUsers table in the database. The SecurityStamp won't be NULL with the out-of-the-box MVC 5 Identity 2.0 code, however a bug had been introduced in our code when doing some customization of the AccountController that cleared out the value in the SecurityStamp field.

Improve this answer

1 Comment

Updating the security stamp can fail when unique e-mail address enforcement is enabled and a user is manually inserted that violates that setting.
0

Many answers here URLEncode the token before sending to get around the fact that the token (being a base 64 encoded string) often contains the '+' character. Solutions must also take into account that the token ends with '=='.

I was struggling with this issue & it turns out many users within a large organisation were using Scanmail Trustwave Link Validator(r) which was not symmetrically encoding and decoding URLEncoded stings in the email link (at the time of writing).

The easiest way was to use Mateusz Cisek's answer and send a non URLEncoded token and simply replace the space characters back to +. In my case this was done in an angular SPA so the Javascript becomes $routeParams.token.replace(/ /g,'+').

The caveat here will be if using AJAX to send the token and rolling your own query string parsing algorithm - many examples split each parameter on '=', which will of course not include the '==' at the end of the token. Easy to work around by using one of the regex solutions or looking for the 1st '=' only.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.