Remove From My Forums

ResetPasswordAsync always failing with invalid token

Question
0

Sign in to vote
User-217557848 posted

Hello,

I am pulling my hair out. I have stubble left.

ResetPasswordAsync in my UserManager<User, Guid> is failing consistently for this reason.

I have tried everything StackOverflow revealed, including, but not limited to:

Replaced the default data protection provider with a MachineKey based solution.
Double check that I am HttpUtility.UrlEncode-ing to the Url, and HttpUtility.UrlDecode-ing the code from the request arguments.
Double checked that my SecurityStamp is in fact set to a non-null, non-zero Guid.

I've double checked my Autofac lifetimes are all per request, for generated things like the data protection, Identity options, and so on.

I could just bypass the token challenge for the time being, since the PasswordValidator is, after all, working. But this doesn't seem quite right to do, in the long range.

Obviously, not everything, because it's still not working. Is it a bug in the framework itself?

I am running against Identity.Core 2.2.1.
Sunday, March 6, 2016 5:24 AM

Answers

0

Sign in to vote
User614698185 posted

Hi mwpowellhtx,

UserManager.GeneratePasswordResetTokenAsync() very often returns string that contains '+' characters. If you pass parameters by query string, this is the cause ('+' character is a space in query string in URL). Try to replace space characters in model.PasswordToken with '+' characters.

For more information about Asp.Net Identity Invalid Token for password reset, please see:

http://tech.trailmax.info/2015/05/asp-net-identity-invalid-token-for-password-reset-or-email-confirmation/

Best Regards,

Candice Zhou
- Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
Monday, March 7, 2016 7:25 AM

All replies

0

Sign in to vote

User-217557848 posted

I double checked, and FWIW, the same sequence generating and verifying account confirmation token works just find. Something in the generating and/or verification of the reset password token is definitely broken, deeper than just the manager code, it seems. Best guess, where the manager code meets the provider(s), but I could be wrong; why does it work for confirmation and not for reset? Definitely a bug IMO.

Sunday, March 6, 2016 6:37 PM
0

Sign in to vote
User614698185 posted

Hi mwpowellhtx,

UserManager.GeneratePasswordResetTokenAsync() very often returns string that contains '+' characters. If you pass parameters by query string, this is the cause ('+' character is a space in query string in URL). Try to replace space characters in model.PasswordToken with '+' characters.

For more information about Asp.Net Identity Invalid Token for password reset, please see:

http://tech.trailmax.info/2015/05/asp-net-identity-invalid-token-for-password-reset-or-email-confirmation/

Best Regards,

Candice Zhou
- Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
Monday, March 7, 2016 7:25 AM