Académique Documents
Professionnel Documents
Culture Documents
BIT OF TECHNOLOGY
Be Sociable, Share!
This is the second part of Building Simple Membership system using ASP.NET Identity 2.1, ASP.NET Web API
2.2 and AngularJS. The topics we’ll cover are:
Con gure ASP.NET Identity with ASP.NET Web API (Accounts Management) – Part 1.
ASP.NET Identity 2.1 Accounts Con rmation, and Password/User Policy Con guration – (This Post)
Implement OAuth JSON Web Tokens Authentication in ASP.NET Web API and Identity 2.1 – Part 3
ASP.NET Identity 2.1 Roles Based Authorization with ASP.NET Web API – Part 4
ASP.NET Web API Claims Authorization with ASP.NET Identity 2.1 – Part 5
AngularJS Authentication and Authorization with ASP.NET Web API and Identity 2.1 – Part 6
The scenario we want to implement that user will register in the system, then a con rmation email will be
sent to the email provided upon the registration, this email will include an activation link and a token (code)
http://bitoftech.net/2015/02/03/asp-net-identity-2-accounts-confirmation-password-user-policy-configuration/ 1/43
14/7/2017 ASP.NET Identity 2.1 Accounts Confirmation, and Password Policy Configuration - Part 2 - Bit of Technology
1 install-package Sendgrid
BIT OF TECHNOLOGY
34 }
35 }
36 }
What worth noting here that the class “EmailService” implements the interface “IIdentityMessageService”,
this interface can be used to con gure your service to send emails or SMS messages, all you need to do is to
implement your email or SMS Service in method “SendAsync” and your are good to go.
In our case we want to send emails, so I’ve implemented the sending process using Send Grid in method
“con gSendGridasync”, all you need to do is to replace the sender name and address by yours, as well do not
forget to add 2 new keys named “emailService:Account” and “emailService:Password” as AppSettings to store
Send Grid credentials.
After we con gured the “EmailService”, we need to hock it with our Identity system, and this is very simple
step, open le “ApplicationUserManager” and inside method “Create” paste the code below:
As you see from the code above, the “appUserManager” instance contains property named “EmailService”
which you set it the class we’ve just created “EmailService”.
Note: There is another property named “SmsService” if you would like to use it for sending SMS
messages instead of emails.
Notice how we are setting the expiration time for the code (token) send by the email to 6 hours, so if the
user tried to open the con rmation email after 6 hours from receiving it, the code will be invalid.
http://bitoftech.net/2015/02/03/asp-net-identity-2-accounts-confirmation-password-user-policy-configuration/ 3/43
14/7/2017 ASP.NET Identity 2.1 Accounts Confirmation, and Password Policy Configuration - Part 2 - Bit of Technology
The implementation is straight forward, what we’ve done here is creating a unique code (token) which is
BIT OFthe
valid for TECHNOLOGY
next 6 hours and tied to this user Id only this happen when calling
“GenerateEmailCon rmationTokenAsync” method, then we want to build an activation link to send it in the
email body, this link will contain the user Id and the code created.
Eventually this link will be sent to the registered user to the email he used in registration, and the user needs
to click on it to activate the account, the route “Con rmEmailRoute” which maps to this activation link is not
implemented yet, we’ll implement it the next step.
Lastly we need to send the email including the link we’ve built by calling the method “SendEmailAsync”
where the constructor accepts the user Id, email subject, and email body.
1 http://localhost/api/account/ConfirmEmail?userid=xxxx&code=xxxx
So we need to build a route in our API which receives this request when the user clicks on the activation
link and issue HTTP GET request, to do so we need to implement the below method, so in class
“AccountsController” as the new method as the below:
1 [HttpGet]
2 [Route("ConfirmEmail", Name = "ConfirmEmailRoute")]
3 public async Task<IHttpActionResult> ConfirmEmail(string userId = "", string code = "")
4 {
5 if (string.IsNullOrWhiteSpace(userId) || string.IsNullOrWhiteSpace(code))
6 {
7 ModelState.AddModelError("", "User Id and Code are required");
8 return BadRequest(ModelState);
9 }
10
11 IdentityResult result = await this.AppUserManager.ConfirmEmailAsync(userId, code);
12
13 if (result.Succeeded)
14 {
15 return Ok();
16 }
17 else
18 {
19 return GetErrorResult(result);
20 }
21 }
The implementation is simple, we only validate that the user Id and code is not not empty, then we depend
on the method “Con rmEmailAsync” to do the validation for the user Id and the code, so if the user Id is not
tied to this code then it will fail, if the code is expired then it will fail too, if all is good this method will
update the database eld “EmailCon rmed” in table “AspNetUsers” and set it to “True”, and you are done, you
have implemented email account activation!
Important Note: It is recommenced to validate the password before con rming the email account, in some
cases the user might miss type the email during the registration, so you do not want end sending the
con rmation email for someone else and he receives this email and activate the account on your behalf, so
better way is to ask for the account password before activating it, if you want to do this you need to change
the “Con rmEmail” method to POST and send the Password along with user Id and code in the request body,
you have the idea so you can implement it by yourself
For example if we want to enforce using only the following domains (“outlook.com”, “hotmail.com”,
“gmail.com”, “yahoo.com”) when the user self registers then we need to create a class and derive it from
“UserValidator<ApplicationUser>” class, to do so add new folder named “Validators” then add new class
named “MyCustomUserValidator” and paste the code below:
http://bitoftech.net/2015/02/03/asp-net-identity-2-accounts-confirmation-password-user-policy-configuration/ 5/43
14/7/2017 ASP.NET Identity 2.1 Accounts Confirmation, and Password Policy Configuration - Part 2 - Bit of Technology
13 IdentityResult result = await base.ValidateAsync(user);
BIT OF TECHNOLOGY
14
15 var emailDomain = user.Email.Split('@')[1];
16
17 if (!_allowedEmailDomains.Contains(emailDomain.ToLower()))
18 {
19 var errors = result.Errors.ToList();
20
21 errors.Add(String.Format("Email domain '{0}' is not allowed", emailDomain));
22
23 result = new IdentityResult(errors);
24 }
25
26 return result;
27 }
28 }
What we have implemented above that the default validation will take place then this custom validation in
method “ValidateAsync” will be applied, if there is validation errors it will be added to the existing “Errors”
list and returned in the response.
In order to re this custom validation, we need to open class “ApplicationUserManager” again and hock this
custom class to the property “UserValidator” as the code below:
Note: The tutorial code is not using the custom “MyCustomUserValidator” class, it exists in the source code
for your reference.
Now the same applies for adding custom password policy, all you need to do is to create class named
“MyCustomPasswordValidator” and derive it from class “PasswordValidator”, then you override the method
“ValidateAsync” implementation as below, so add new le named “MyCustomPasswordValidator” in folder
“Validators” and use the code below:
In this implementation we added some basic rule which checks if the password contains sequence of
characters and reject this type of password by adding this validation result to the Errors list, it is exactly the
same as the custom users policy.
Now to attach this class as the default password validator, all you need to do is to open class
“ApplicationUserManager” and use the code below:
http://bitoftech.net/2015/02/03/asp-net-identity-2-accounts-confirmation-password-user-policy-configuration/ 6/43
14/7/2017 ASP.NET Identity 2.1 Accounts Confirmation, and Password Policy Configuration - Part 2 - Bit of Technology
1 //Rest of code is removed for brevity
BIT OF TECHNOLOGY
2 // Configure validation logic for passwords
3 appUserManager.PasswordValidator = new MyCustomPasswordValidator
4 {
5 RequiredLength = 6,
6 RequireNonLetterOrDigit = true,
7 RequireDigit = false,
8 RequireLowercase = true,
9 RequireUppercase = true,
10 };
All other validation rules will take place (i.e checking minimum password length, checking for special
characters) then it will apply the implementation in our “MyCustomPasswordValidator”.
1 [Route("ChangePassword")]
2 public async Task<IHttpActionResult> ChangePassword(ChangePasswordBindingModel model)
3 {
4 if (!ModelState.IsValid)
5 {
6 return BadRequest(ModelState);
7 }
8
9 IdentityResult result = await this.AppUserManager.ChangePasswordAsync(User.Identity.GetUserId(), model.OldPassword
10
11 if (!result.Succeeded)
12 {
13 return GetErrorResult(result);
14 }
15
16 return Ok();
17 }
Notice how we are calling the method “ChangePasswordAsync” and passing the authenticated User Id, old
password and new password. If you tried to call this endpoint, the extension method “GetUserId” will not
work because you are calling it as anonymous user and the system doesn’t know your identity, so hold on the
testing until we implement authentication part.
The method “ChangePasswordAsync” will take care of validating your current password, as well validating
your new password policy, and then updating your old password with new one.
Do not forget to add the “ChangePasswordBindingModel” to the class “AccountBindingModels” as the code
below:
http://bitoftech.net/2015/02/03/asp-net-identity-2-accounts-confirmation-password-user-policy-configuration/ 7/43
14/7/2017 ASP.NET Identity 2.1 Accounts Confirmation, and Password Policy Configuration - Part 2 - Bit of Technology
6 public string OldPassword { get; set; }
BIT OF TECHNOLOGY
7
8 [Required]
9 [StringLength(100, ErrorMessage = "The {0} must be at least {2} characters long.", MinimumLength = 6)]
10 [DataType(DataType.Password)]
11 [Display(Name = "New password")]
12 public string NewPassword { get; set; }
13
14 [Required]
15 [DataType(DataType.Password)]
16 [Display(Name = "Confirm new password")]
17 [Compare("NewPassword", ErrorMessage = "The new password and confirmation password do not match.")]
18 public string ConfirmPassword { get; set; }
19
20 }
To implement this we need add new method named “DeleteUser” to the “AccountsController” as the code
below:
1 [Route("user/{id:guid}")]
2 public async Task<IHttpActionResult> DeleteUser(string id)
3 {
4
5 //Only SuperAdmin or Admin can delete users (Later when implement roles)
6
7 var appUser = await this.AppUserManager.FindByIdAsync(id);
8
9 if (appUser != null)
10 {
11 IdentityResult result = await this.AppUserManager.DeleteAsync(appUser);
12
13 if (!result.Succeeded)
14 {
15 return GetErrorResult(result);
16 }
17
18 return Ok();
19
20 }
21
22 return NotFound();
23
24 }
This method will check the existence of the user id and based on this it will delete the user. To test this
method we need to issue HTTP DELETE request to the end point “api/accounts/user/{id}”.
Follow me on Twitter @tjoudeh
References
Featured Image Source
http://bitoftech.net/2015/02/03/asp-net-identity-2-accounts-confirmation-password-user-policy-configuration/ 8/43
14/7/2017 ASP.NET Identity 2.1 Accounts Confirmation, and Password Policy Configuration - Part 2 - Bit of Technology
Be Sociable, Share!
BITShareOF16 TECHNOLOGY
Tweet 11 Email
Share 7
Related Posts
Integrate Azure AD B2C with ASP.NET MVC Web App – Part 3
Secure ASP.NET Web API 2 using Azure AD B2C – Part 2
Azure Active Directory B2C Overview and Policies Management – Part 1
ASP.NET Web API Claims Authorization with ASP.NET Identity 2.1 – Part 5
ASP.NET Identity 2.1 with ASP.NET Web API 2.2 (Accounts Management) – Part 1
Filed Under: ASP.NET, ASP.NET Identity, ASP.Net Web API, Web API Tutorial
Tagged With: Token Authentication, Tutorial, Web API 2
Comments
Liam says
February 3, 2015 at 2:45 am
Good article, but you should really change all the references to ‘He/him’ etc to something gender neutral.
Reply
Thanks Liam for your comment, It was a mistake, all is xed now, thanks again
Reply
Your Post have been a life saving material for us in my region, with all your past post and this, you have change
our thinking toward DotNet Development. Thanks.
Please we need this series to be completed on time, so as to use it to complete our school project.
(We are student from Africa), We enjoy your series.
Thanks.
Reply
http://bitoftech.net/2015/02/03/asp-net-identity-2-accounts-confirmation-password-user-policy-configuration/ 9/43
14/7/2017 ASP.NET Identity 2.1 Accounts Confirmation, and Password Policy Configuration - Part 2 - Bit of Technology
Glad to hear this, happy to know that I’m helping students in other contents to learn some cool technologies,
good luck
Reply
AndreasF says
February 10, 2015 at 1:16 pm
Reply
Reply
Kurai says
February 11, 2015 at 3:29 pm
Been here in the past months and I am learning new things in every post you have.. –I’m just another kid who
wants to be something great.. and I tell you.. when that happen.. I will put your name as one my “hero”… Thank you
so much…
Reply
Thanks for your sweet message, I’m really happy to know that my contribution is helping a lot of people out
there, love what you do and have passion for it and I’m sure you will be a shining star =)
Reply
http://bitoftech.net/2015/02/03/asp-net-identity-2-accounts-confirmation-password-user-policy-configuration/ 10/43
14/7/2017 ASP.NET Identity 2.1 Accounts Confirmation, and Password Policy Configuration - Part 2 - Bit of Technology
BIT OF TECHNOLOGY
I’ve been following you for some time now, and I appreciate your approach to start with an empty project and add
what you need with adequate explanation as you go. I nd myself eager and watching for your next post as you
are regular reading for me. Great job Taiseer!
Reply
Thank you Tony for your comment, glad to know that posts are useful. Part 3 is ready and should be
published this Monday.
Reply
Hello Taisser, thanks for all your posts and very happy to see you MVP.
Alas, I hit a bit of a bump implementing your code. I create the user and while creating the link to send the
con rmation email, it raises an exception:
on the instruction
var callbackUrl = new Uri(Url.Link(“Con rmEmailRoute”, new { userId = user.Id, code = code }));
Do you have any idea on how to x this… I can always hardcode the uri, but I’d rather suffer the pains of hell…
Thanks in advance
Miguel Delgado
Reply
http://bitoftech.net/2015/02/03/asp-net-identity-2-accounts-confirmation-password-user-policy-configuration/ 11/43
14/7/2017 ASP.NET Identity 2.1 Accounts Confirmation, and Password Policy Configuration - Part 2 - Bit of Technology
Reply
Diego says
February 19, 2015 at 3:33 am
Hi Taiseer,
What´s the point in creating an email con rmation api endpoint?
The user will see nothing else than a white screen in the browser.
The logical thing would be creating a web page to show a con rmation message, but I guess in this post you just
wanted to focus on webapi.
Apart from that, please tell me what you think about this
In my case, I´m implementing all this from a mobile application and I´m trying to make things easy to the user.
Imagine the situation: a user registers in the app and receives a message asking him/her to check the email. The
email will redirect the user to a web page (con rmation page), and then, that user has to go back to the app. 4 step
process (including registration form) is a bit overhead IMO.
So I was thinking about sending a short code (like the kind of sms con rmation codes) to the email so the user can
just write it in a textbox (inside the mobile app) instead of using urls. I´m not sure if there is any way to modify the
con rmation token asp.net generates to make for example, a 4 character number code. In that case you could see
the code in the push noti cation of your email box and even no need to open it
Any thoughts?
Reply
Hi Diego,
As you suggested you need to build a GUI on your system where in contains a link for the
“Con rmEmailRoute” end point, once the user invokes this endpoint (click on that link) and you receive 200
OK status from the API, youir GUI needs to display con rmation message and maybe redirect him to the
application as this SO question. Never tried it before
Regarding send SMS, as you suggested here you are going to send the SMS to the email so the user might
need to open the email to read the SMS code there and then close the email and go back to application to
enter it, so the same number of steps.
As well I’m not sure if you can generate friendly token (4 digits) and attach it to the user Id so the validation
http://bitoftech.net/2015/02/03/asp-net-identity-2-accounts-confirmation-password-user-policy-configuration/ 12/43
14/7/2017 ASP.NET Identity 2.1 Accounts Confirmation, and Password Policy Configuration - Part 2 - Bit of Technology
for this token happens seamlessly as it happens in method “AppUserManager.Con rmEmailAsync”, I need to
BIT OF check
TECHNOLOGY
this.
Reply
Diego says
February 19, 2015 at 9:46 pm
Hi Taiseer,
you get a huge token (kind of oAuth token), but I realized you can get a 6 digit “token” if you do this
instead:
Not sure about the impact in the application or any related security issues… but I can say the
con rmation works ne as well in this way.
[ActionName(“emailcon rmation”)]
public async Task Con rmEmailAccount(string userId, string token)
{
IdentityResult result = await aspNetUserManager.Con rmEmailAsync(userId, token);
if (result.Succeeded)
{
string body = “bla bla bla””; // this will be a proper web page
return response;
}
else
{
GetErrorResult(result.Errors);
return Request.CreateErrorResponse(HttpStatusCode.BadRequest, ModelState);
}
}
I´ve been reading about this in stack-over ow and many people agree that email con rmations on
mobile applications are a no-go for many users. Of course that depends on your project needs but
reasonable in many cases. So a nice way to go would be:
http://bitoftech.net/2015/02/03/asp-net-identity-2-accounts-confirmation-password-user-policy-configuration/ 13/43
14/7/2017 ASP.NET Identity 2.1 Accounts Confirmation, and Password Policy Configuration - Part 2 - Bit of Technology
BIT OF TECHNOLOGY
2. The user can start using the app without con rming
3. After a time period you remind the user to con rm the account (by email)
4. After another time period, if the account has not been con rmed, you just delete it (this can be done
in a background scheduled job)
That way, the users just trying to test your app will be able to do it quickly. And if they are interested
after all, clicking a link shouldn´t be a problem.
Reply
Diego says
February 19, 2015 at 9:56 pm
I forgot to mention about redirecting user to the app from the email box.
That´s a nice solution if the user opens the email in the mobile device where the app is.
This can be done (I´m using Xamarin) like this: http://developer.xamarin.com/recipes/cross-
platform/app-links/app-links-ios/ and this: http://developer.xamarin.com/recipes/cross-
platform/app-links/app-links-android/
Reply
I ran the source code from the updated one from github, after update the package manager, I want to the create a
new account from the create end-point
http://prntscr.com/6g70sh
1. http://prntscr.com/6g7180
2. http://prntscr.com/6g71s5 : Here, this is the credentials from my signup in sendgrid
Reply
http://bitoftech.net/2015/02/03/asp-net-identity-2-accounts-confirmation-password-user-policy-configuration/ 14/43
14/7/2017 ASP.NET Identity 2.1 Accounts Confirmation, and Password Policy Configuration - Part 2 - Bit of Technology
This issue with the SendGrid service trying to send con rmation email, make sure you are using the same
NuGet package I have used in the project by checking packages.con g le and double check that SendGrid
username and password are set correctly in web.con g as you obtained them from SendGrid after creating a
SendGrid account.
Reply
Regan says
March 14, 2015 at 7:47 pm
Reply
What is not clear about it? It interface used to separate the implementation of your SMS service or Email
service from Web API logic, it has method named “SendAsync” in order to implement your sending logic in it
Reply
Simon says
March 25, 2015 at 11:02 pm
Hi Taiseer,
First off I would like to thank you for your post and all the information concerning JWT. I am currently doing an
internship in a company where I was asked to do a small authentication and authorization using Identity + JWT. I
ran into a small bug and I don’t know if its me that did not implement your explications properly but for some
reason I cannot seem to be able to do any calls to Identity, for example User.Identity.GetUserId(); is always null. It
feels like the data/information from my token does not get passed. Would you be able to give me any pointers or
would you have any idea? I have been looking at your AngularJSAuthentication solution and all your other post
and I can’t seem to be able to nd out what it is.
Thank you,
Simon.
Reply
http://bitoftech.net/2015/02/03/asp-net-identity-2-accounts-confirmation-password-user-policy-configuration/ 15/43
14/7/2017 ASP.NET Identity 2.1 Accounts Confirmation, and Password Policy Configuration - Part 2 - Bit of Technology
BIT OF TECHNOLOGY
Taiseer Joudeh says
March 27, 2015 at 3:51 pm
Hi Simon, are you calling the method User.Identity.GetUserId(); inside a protected controller? A controller or
action method attributed with [Authorize]? If yes then the Identity should be set, can you try checking the
property User.Identity.Name too? Does it return the authenticated UserId?
Reply
felipefurlan says
August 12, 2015 at 6:59 pm
Hello Taisser, how are you doing? I’m having this issue too. The User.Identity.Name is OK, but the ID is
always null. When I inspect the User.Identity on Imediate Window I receive the following:
{System.Security.Claims.ClaimsIdentity}
[System.Security.Claims.ClaimsIdentity]: {System.Security.Claims.ClaimsIdentity}
AuthenticationType: “Bearer”
IsAuthenticated: true
Name: “bla@bla.com.br”
Reply
David says
July 21, 2016 at 8:57 pm
Hello Taiseer,
I am also having the problem with User.Identity except User.Identity.Name = “”. Also for me
IsAuthenticated = false. I can decode the JWT token and my username is contained therein. Not sure
why Identity is not picking it up.
Reply
Hi,
I had the same issue. My user was authorized, but the returned UserId was null. I guess, the name claim has
the wrong scheme. It had “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name” instead of
http://bitoftech.net/2015/02/03/asp-net-identity-2-accounts-confirmation-password-user-policy-configuration/ 16/43
14/7/2017 ASP.NET Identity 2.1 Accounts Confirmation, and Password Policy Configuration - Part 2 - Bit of Technology
userManager.FindByNameAsync(User.Identity.Name)
Regards,
Torsten
Reply
I think I just found the origin of my problem why GetUserId() returns null. In the method
“GrantResourceOwnerCredentials” of my AuthorizationServerProvider the claims are added to the user
like this:
I guess if you add the claimtype “NameIdenti er” the GetUserId() method should return the user.
Note: in my answer above I wrote “namedidentity”. I guess this is wrong and should be “NameIdenti er”.
Regards,
Torsten
Reply
You are correct, the claim of type “NameIdenti er” should be used to return the UserId when
calling GetUserId()
Reply
http://bitoftech.net/2015/02/03/asp-net-identity-2-accounts-confirmation-password-user-policy-configuration/ 17/43
14/7/2017 ASP.NET Identity 2.1 Accounts Confirmation, and Password Policy Configuration - Part 2 - Bit of Technology
Hi,
BIT OF TECHNOLOGY
List _allowedEmailDomains = new List { “outlook.com”, “hotmail.com”, “gmail.com”, “yahoo.com” };
My application will be split into two admin registration and user registration
I want the users to register with any email address (e.g gmail.com, yahoo.com) while the admin will only register
with the of cial company email (e.g admin@company.com)
How can i seperate the logic for this or conditionally con gure this, since the validation logic for the user admin
are called from one single point in the startup.cs
Is it advisable to create the API for admin seperate from the user, or i can use thesame API for both logic.
Thanks
Reply
Hi Taiseer,
//Code for email con rmation and reset password life time
TokenLifespan = TimeSpan.FromHours(6)
};
}
http://bitoftech.net/2015/02/03/asp-net-identity-2-accounts-confirmation-password-user-policy-configuration/ 18/43
14/7/2017 ASP.NET Identity 2.1 Accounts Confirmation, and Password Policy Configuration - Part 2 - Bit of Technology
BIT OF TECHNOLOGY
Reply
GRAPHC_coder says
May 15, 2015 at 9:09 am
Hi Taiseer,
Great post! It really helps me on my project.
Just a quick heads up for those who might experience same as mine.
I was setting up our own SMTP server and testing email con rmation through Postman, “Invalid Token” happened
for URL con rmation.
Solution:
http://tech.trailmax.info/2015/05/asp-net-identity-invalid-token-for-password-reset-or-email-con rmation/
Reply
Thanks for sharing this, what you are doing is better practice because the token might contain unsafe URL
chars which needs to be Url encoded before.
Reply
Doug says
June 27, 2015 at 3:11 am
The callback URL is for a GET to the API, but how do you handle the case where the front end is solely Angular?
How can I get the Con rmEmail API function to, upon execution from the email link click event, redirect back to
my front end Angular site after updating the EmailCon rmed ag?
Reply
engineerumairshahen says
February 21, 2016 at 7:24 pm
http://bitoftech.net/2015/02/03/asp-net-identity-2-accounts-confirmation-password-user-policy-configuration/ 19/43
14/7/2017 ASP.NET Identity 2.1 Accounts Confirmation, and Password Policy Configuration - Part 2 - Bit of Technology
@Doug were you able to nd the solution if yes then please share with me
BIT OF TECHNOLOGY
Reply
Actias says
June 6, 2016 at 9:30 am
You can edit the call back URL at this section of code in the AccountsController
Reply
dush_a says
July 9, 2015 at 3:21 am
Hi Taiseer,
I tried to create a free SendGrid account. They didn’t provide me an account since I do not have a website. Can
you please show me how to use gmail or hotmail account instead SendGrid ? (even asp.net tutorials use sendGrid,
it looks like they may have stoped the service for leaners, if you can provide a free email alternative it would be
bene cial to new learners)
“Thank you for providing further information. Although to provision your account we’ll need to know what type of
emails you’ll be sending using our service, the website provided during registration was not suf cient to help us
determine this. Without a valid, working website upon which we can determine this, your account will not be
provisioned. Please get back in touch with us when your website is nearing a state of completion.
Best,
IULIANA O.
Technical Support Engineer
SendGrid”
Reply
Mcshaz says
July 10, 2015 at 1:33 am
http://bitoftech.net/2015/02/03/asp-net-identity-2-accounts-confirmation-password-user-policy-configuration/ 20/43
14/7/2017 ASP.NET Identity 2.1 Accounts Confirmation, and Password Policy Configuration - Part 2 - Bit of Technology
so far, my testing on the Indentity 2.1 framework would indicate that the token contains datetime information on
when it was sent, rather than any data on when it is to expire. The Con rmEmailAsync method then seems to
apply the TokenLifespan as part of validating the token. The relevance of this is that changing TokenLifespan (in
testing or production) will be effective retrospectively on tokens previously sent.
Reply
Nathan says
August 4, 2015 at 9:45 pm
Did you nd that GenerateEmailCon rmationTokenAsync is creating a 500 character token? i.e.
http://localhost/api/account/Con rmEmail?userid=xxxx&code=
Sending such a long URL is running up against spam lters in our case.
Reply
Hi Nathan,
To be honest I didn’t notice that huge number of generated characters, were you able to nd solution for this
issue?
Reply
Reply
http://bitoftech.net/2015/02/03/asp-net-identity-2-accounts-confirmation-password-user-policy-configuration/ 21/43
14/7/2017 ASP.NET Identity 2.1 Accounts Confirmation, and Password Policy Configuration - Part 2 - Bit of Technology
Reply
BIT OF TECHNOLOGY
No problem Ali
Reply
Thank you for the good article! Although i followed your steps exactly, there seems to be an issue, at least for me:
When i send a create-user request, the programme creates a new user, but does not call the EmailService class so
no email is sent. Is this a known issue? Thanks in advance
Reply
Hi Michael, glad you liked it, I guess you are missing registering the service in AppUserManager as this LOC.
If it is already there, check that your SendGrid ApiId and Secret are correct.
Hope this will help.
Reply
Hi, thank you for your quick response! I checked the registering of the EmailService in
AppUserManager, that wasn’t the problem. The credentials for the SendGridAPI are ne aswell. But by
inserting Debug.writeline commands i found out that the ApplicationUserManager class is not called. I
tried your downloaded your version from github and there it worked just perfectly and the output-
commands were shown in the console. Do you know anything else that could be the problem?
Reply
http://bitoftech.net/2015/02/03/asp-net-identity-2-accounts-confirmation-password-user-policy-configuration/ 22/43
14/7/2017 ASP.NET Identity 2.1 Accounts Confirmation, and Password Policy Configuration - Part 2 - Bit of Technology
BIT OF TECHNOLOGY
mazin says
September 18, 2015 at 8:51 am
Hi Taiseer, Great article, all your articles have helped me a lot, thanks so much.
I’m still a bit confused about the emailservice, I followed your AngularJsAuthentication tutorials and so i dont have
a ApplicationUserManager class or a “Create” method to plug in the the EmailService with Identity system, where
should I place the body of code?
Reply
Hi Mazin,
If you need to use the email service to send emails, then you have to user the ASP.NET Identity system and
create an instance of the UserManager, and assign the “EmailService” property to your email sending logic,
hope this somehow clari es your concern.
Reply
johnatangarcia says
October 4, 2015 at 9:37 am
Yeah, I totally should buy you a beer. Thanks for the very detailed information!
Reply
Reply
Hello Taiseer,
I have a quick question. May be simple however I’ve googled away and haven’t exactly found the answer I am
http://bitoftech.net/2015/02/03/asp-net-identity-2-accounts-confirmation-password-user-policy-configuration/ 23/43
14/7/2017 ASP.NET Identity 2.1 Accounts Confirmation, and Password Policy Configuration - Part 2 - Bit of Technology
looking for. SO I am building a web app that utilizes AngularJS for the Frontend. Speci cally using the Ui,router
BIT rather
OF TECHNOLOGY
than ngRoute. So I con gured a state(route) that has the parameters of UserId and Code in order to use the
parameters in my Con rmEmailController.js . In the Con rmEmailController.js I call to the Account controller
which will then con rm the email. Upon failure or success the html will display the response message. My Issue is
this… In the email that gets sent to the User, the link needs to be something like this Here
However, in the AccountController.cs under method Register() , I cannot get the callbackUrl to be correct. I mean
it does output the link as I would expect, but when clicked I get this error “The request ltering module is
con gured to deny a request that contains a double escape sequence.” . So I ask you how can I build a link that will
pass the UserId and Code in an email that doesn’t compromise the built in security that’s blocking double spacing,
but handle the View and Controller in Angular. OR Am I putting much more work into it than I need to and there is
a simpler way to accomplish this? Thank you for taking the time to read and respond to my question! Sorry for the
long message but I wanted to be thorough.
Reply
Hi Steven,
I’m not sure if you need to URL encode the code generated then decode it once you receive it, this is the
only thing that I’m suspecting now. As well you might try sending the activation code as a query string not
part of the URI.
Reply
Hello! And thank you for your reply! I ended up sending it as query strings. Both userId and code. Just
have to have the user login and it’ll call to the api/Account . My only issue is that the ‘+’ in the userId’s
gets replaced by spaces. Its Angular. It used to be encoded as %2B which is what I need, however many
people led issues with it on github because they needed it to be treated as %20 ( a space ) for search
query strings. Since then it has been updated and now creates a problem since I need the literal plus
sign. I am going to see if there is a way to just replace its encoding back to %2B. If you’ve got any insight
or a work around that would be much appreciated! . Thank you again!
Reply
SO It was an easy x. Just do a string.replace on the spaces and put +’s there. However my nal
error is “Invalid Token” . The result.Succeeded from the Con rmEmailAsync comes back false. I
placed breakpoints in the Register method and the Con rmEmail method to verify the userId and
code generated at both spots. They are identical. I’m not exactly sure what is going on at this
point.
http://bitoftech.net/2015/02/03/asp-net-identity-2-accounts-confirmation-password-user-policy-configuration/ 24/43
14/7/2017 ASP.NET Identity 2.1 Accounts Confirmation, and Password Policy Configuration - Part 2 - Bit of Technology
Reply
BIT OF TECHNOLOGY
FIXED! Sorry for the various replies but it’s been an interesting journey haha. SO seems like
even if I do the string.replace in the frontend, when I do the $http call to the backend angular
re-encodes and decodes it. Easy solution. Just do the code = code.replace(” “,”+”); right before
calling Con rmEmailAsync();
THANK YOU for all your help!
Hi Steven,
It is encoding issue as you suggested, I do not know why the ASP.NET team didn’t generate
the con rmation code using safe URL characters, they know that those codes will be
transmitted in URL.
Khalaf says
October 23, 2015 at 7:22 am
Hi Taiseer,
I keep getting this error when I run it locally , could you please advise?
FYI I added the below keys which are valid:
exceptionMessage: “Bad Request Check `Errors` for a list of errors returned by the API.”
exceptionType: “Exceptions.InvalidApiRequestException”
stackTrace: ” at SendGrid.ErrorChecker.CheckForErrors(HttpResponseMessage response, Stream stream) at
SendGrid.ErrorChecker.d__0.MoveNext() — End of stack trace from previous location where exception was
thrown — at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNoti cation(Task task) at
SendGrid.Web.d__0.MoveNext() — End of stack trace from previous location where exception was thrown — at
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNoti cation(Task task) at
System.Runtime.CompilerServices.TaskAwaiter.GetResult() at
AspNetIdentity.Services.EmailService.d__1.MoveNext() in c:\users\armaghanbabak\documents\visual studio
http://bitoftech.net/2015/02/03/asp-net-identity-2-accounts-confirmation-password-user-policy-configuration/ 25/43
14/7/2017 ASP.NET Identity 2.1 Accounts Confirmation, and Password Policy Configuration - Part 2 - Bit of Technology
Reply
BIT OF TECHNOLOGY
Hi Khalaf,
Make sure you are using the latest version of SendGrid assembly, I’m not sure why it is generating this error.
Please share it on Stack Over ow.
Reply
Biswa says
October 27, 2015 at 3:41 pm
Solved a lot of issues. This article is the masterpiece of all my research on ASP .NET Identity and OWIN Token.
Reply
Reply
hassan says
November 5, 2015 at 10:49 pm
Hi Taiseer,
I have followed your part 1 tutorial, so far it has worked awesome, but in this part 2, you said place the code in
ApplicationUserManager class, which you have not speci ed when it was created. I am looking your project in the
GitHub and seeing you have Infrastructure folder and there you have it already, so I am trying to copy the code
from there and trying to understand each bit of code. Please advice if I missed something.
Thanks,
Hassan
Reply
http://bitoftech.net/2015/02/03/asp-net-identity-2-accounts-confirmation-password-user-policy-configuration/ 26/43
14/7/2017 ASP.NET Identity 2.1 Accounts Confirmation, and Password Policy Configuration - Part 2 - Bit of Technology
BIT OF TECHNOLOGY
Taiseer Joudeh says
November 6, 2015 at 3:37 am
Hi Hassan,
I’m not sure if you missed something or I forgot a simple step but follow up with the all the posts and
everything is described clearly, hope the series will be useful for you.
Reply
hassan says
November 6, 2015 at 6:06 pm
Hi Taiseer,
Sorry It was my mistake, I went to this Part 2 of ‘
ASP.NET Identity 2.1 Accounts Con rmation, and Password Policy Con guration – Part 2’, thought that
this is a Part 2 of ‘Token Based Authentication using ASP.NET Web API 2, Owin, and Identity’. But I have
nally found the Part 2 here http://bitoftech.net/2014/06/09/angularjs-token-authentication-using-
asp-net-web-api-2-owin-asp-net-identity/
Got confused with so many parts of authentication. This is fabulous article you have written, I am
following and understanding the authentication much better now. Thanks a lot man.
Reply
Reply
Neil says
January 6, 2016 at 9:59 pm
Reply
http://bitoftech.net/2015/02/03/asp-net-identity-2-accounts-confirmation-password-user-policy-configuration/ 27/43
14/7/2017 ASP.NET Identity 2.1 Accounts Confirmation, and Password Policy Configuration - Part 2 - Bit of Technology
BIT OF TECHNOLOGY
Saad Ullah Khan says
November 23, 2015 at 4:03 am
For anyone who might run in to this kind of issue that if you are using different attributes than just [Route] or
[HttpGet]… On con rmEmail action you must put the attribute [HttpGet] as well.. otherwise your link to con rm
email won’t work ..
Not sure why, may be Taiseer could add something awesome here on this just like his articles
Hey Taiseer, Very useful articles, specially in a world where there aren’t much resources on the subject of identity
… Hats off my dear !!!
Reply
Hi Saad, thanks for your message, it is working at my end. But I need to check this and update the post if
something is missing. Thanks again.
Reply
Aditya M S K says
December 21, 2015 at 3:54 pm
Hi Taiseer,
Thanks for the way you have narrated the story. I stand at a little confused point and need your help in getting out
of this. it is a bit lengthy one, request you to go through it patiently. Thanks for your time.
I work on an application where I have a separate MVC layer and Web API Layer, both have the same authentication
mechanism, I have chosen the individual accounts authentication option while adding the projects. The web api
service layer will be directly accessed by some other mobile clients also.
But when the user logs in through MVC he should be able to access Web Api seamlessly, but I don’t want to really
pass the username and password fro MVC to the Web Api layer, I am told it is a bad practice. but i need to
authenticate and authorize my user, so the only option i have thought of is to have a default account at Web API
level to issue tokens, and this will be called from MVC post the authentication and a token will be returned which
is written to a cookie in the client. Now the Ajax calls from the UI can use this bearer token and get the job done.
The only glitch I have here is that, because I am using a default account I need user details again for authorization
at service level, though I am doing authorization at my UI level. The user can spoof the system. I was lost here and
came up with a solution like, when the user logs in to MVC will send across user details also along with the call to
get the WebAPI token and issue another token to the user so that the user uses both of the tokens to make a call
to web api from MVC.
http://bitoftech.net/2015/02/03/asp-net-identity-2-accounts-confirmation-password-user-policy-configuration/ 28/43
14/7/2017 ASP.NET Identity 2.1 Accounts Confirmation, and Password Policy Configuration - Part 2 - Bit of Technology
I am not sure if this works or if it is even the best way. I just wanted to check with you, how I should go from here.
BIT Any
OFhelp
TECHNOLOGY
on this will be really great.
Regards,
Aditya
Reply
Your proposed solution is good, you need to obtain an access token while you are authenticating the user for
the MVC application, so you only send the username/password only once, once you obtain the access token
you can store in a cookie for further use.
Reply
Rashmi says
December 28, 2015 at 8:18 pm
Hi Taiseer,
First of all, this article is AWESOME. I am able to get a clear view of OAuth Identity Services because of your
articles. I created the con rm email functionality for new User. The con rm email link validity is set to 24 hours as
shown in this article, but somehow the link expires after 50 mins. I am unable to gure out where the issue is.
Could you please suggest something.
Regards,
Rashmi
Reply
Rashmi says
January 7, 2016 at 12:03 am
I found the solution to this issue. I am posting it if somebody faced the same issue. In my case the services
and web API were on different servers. Different machine keys caused this issue. So I generated the machine
key for my Web application and posted the same machine key in web.con g le of Identity service. After that
it worked. For more information on generating machine key, following link is helpful.
http://gunaatita.com/Blog/How-to-Generate-Machine-Key-using-IIS/1058
Reply
http://bitoftech.net/2015/02/03/asp-net-identity-2-accounts-confirmation-password-user-policy-configuration/ 29/43
14/7/2017 ASP.NET Identity 2.1 Accounts Confirmation, and Password Policy Configuration - Part 2 - Bit of Technology
BIT OF TECHNOLOGY
onefootswill says
January 7, 2016 at 4:41 am
The confusion around ApplicationUserManager is because it was not created in Part 1. According to the Index at
the top of this post, this is Part 2. And up until now, there has been no mention of an ApplicationUserManager.
But, seeing that it is in the GIT repository, I’m not too worried. But it does kind of negatively impact the didactic
ow of the articles.
Reply
onefootswill says
January 7, 2016 at 5:30 am
Whoops. Looks like I’m getting this series mixed up with your 2014 series of articles. Sorry. Disregard my last
comment. And thank you for the great articles!
Reply
You are welcome, no problem and let me know if you need further help.
Reply
RR says
January 8, 2016 at 3:08 am
Easily, the best posts on asp.net Identity on the ‘Net. Puts Microsoft documentation to shame.
Congratulations !
Reply
Reply
http://bitoftech.net/2015/02/03/asp-net-identity-2-accounts-confirmation-password-user-policy-configuration/ 30/43
14/7/2017 ASP.NET Identity 2.1 Accounts Confirmation, and Password Policy Configuration - Part 2 - Bit of Technology
BIT OF TECHNOLOGY
alexstrakh says
January 11, 2016 at 9:59 am
Thank you for the great post. In my case I need to validate both email and phone number for one given account.
I can generate email token with GenerateEmailCon rmationTokenAsync and then Con rmEmailAsync.
I didn’t nd related methods for SMS.
Reply
Taiseer….awesome series. Everything working perfectly. Your tutorials are extremely clear and accurate. Very
rare. I do have one issue….I am using SendGrid for my Email Con rmation. When I change EmailCon rmation to
POST as you recommend for doing Password comparison, the link that arrives in the con rmation email is no
longer functional since a link can’t generate HTTP POST without intervening JScript. I just get a ‘The requested
resource does not support http method ‘GET” error. Can you give a little detail on how to implement the
password check in the con rmation (including maybe some suggestions for encrypting it)?
Reply
Hi Dennis,
I think you facing an issue with sending the validation token generated by asp.net identity, it contains unsafe
url chars, so you should encode it before sending it, then decode it once you receive it.
http://bitoftech.net/2015/02/03/asp-net-identity-2-accounts-confirmation-password-user-policy-configuration/ 31/43
14/7/2017 ASP.NET Identity 2.1 Accounts Confirmation, and Password Policy Configuration - Part 2 - Bit of Technology
Reply
Thanks for the reply. Unfortunately that has the same result.
http://localhost/rcatshop/api/accounts/Con rmEmail?userId=1007&code=XXX
Here is my CreateUser:
[Route(“create”)]
public async Task CreateUser(CreateUserBindingModel createUserModel)
{
if (!ModelState.IsValid)
{
return BadRequest(ModelState);
}
if (!addUserResult.Succeeded)
{
return GetErrorResult(addUserResult);
}
http://bitoftech.net/2015/02/03/asp-net-identity-2-accounts-confirmation-password-user-policy-configuration/ 32/43
14/7/2017 ASP.NET Identity 2.1 Accounts Confirmation, and Password Policy Configuration - Part 2 - Bit of Technology
BIT OF TECHNOLOGY
await this.AppUserManager.SendEmailAsync(user.Id, “Con rm your account”, “Please con rm your
account by clicking here“);
[HttpPost]
[Route(“Con rmEmail”, Name = “Con rmEmailRoute”)]
public async Task Con rmEmail(int userId, string code = “”, string password = “”)
{
string cd = UrlEncodeDecode.Base64ForUrlDecode(code);
string pw = UrlEncodeDecode.Base64ForUrlDecode(password);
if (userId == null || string.IsNullOrWhiteSpace(cd) || string.IsNullOrWhiteSpace(pw))
{
ModelState.AddModelError(“”, “User Id, Code, and Password are required”);
return BadRequest(ModelState);
}
if (temp != null)
{
PasswordOk = await this.AppUserManager.CheckPasswordAsync(temp, pw);
}
if (PasswordOk)
{
IdentityResult result = await this.AppUserManager.Con rmEmailAsync(userId, cd);
if (result.Succeeded)
{
return Ok();
}
else
{
return GetErrorResult(result);
}
}
else
{
return StatusCode(System.Net.HttpStatusCode.Unauthorized);
}
}
And here is the result when I click the link from my email:
http://bitoftech.net/2015/02/03/asp-net-identity-2-accounts-confirmation-password-user-policy-configuration/ 33/43
14/7/2017 ASP.NET Identity 2.1 Accounts Confirmation, and Password Policy Configuration - Part 2 - Bit of Technology
BIT OF TECHNOLOGY
[HttpGet]
[Route(“Con rmEmail”, Name = “Con rmEmailRoute”)]
public async Task Con rmEmail(int userId, string code = “”, string password = “”)
All works. But as you stated in your tutorial, shouldn’t pass a password in a get param.
Thanks!
Reply
@tauseer joudeh It is great article but I have one problem after email con rmation I want to redirect user to login
page how that could be done please suggest?
Reply
engineerumairshah says
February 21, 2016 at 6:57 pm
@taiseer joudeh its very nice article could you please help me if I would like to change callbackurl from web api
route to angular how could be done ?
Reply
Hi,
This is very deep implementation detail for your case, I really can not look at it right now but you could add
any link you want in your response and the user will receive it in the email and click on it and get redirected
to this URL.
Reply
http://bitoftech.net/2015/02/03/asp-net-identity-2-accounts-confirmation-password-user-policy-configuration/ 34/43
14/7/2017 ASP.NET Identity 2.1 Accounts Confirmation, and Password Policy Configuration - Part 2 - Bit of Technology
BIT OF TECHNOLOGY
stt106 says
March 20, 2016 at 7:56 pm
Hi Taiseer,
Like others I have found your series on web api identity and token authorization very useful.
I have a question about using email/text to validate the user identity. I am writing an API for a mobile app; on
registration user will need either to enter email or mobile number so that their identity can be veri ed. Since
sending email/text message to user is not free, I want to protect from being attached by someone who tries to
create many fake registrations. For example, if someone somehow knows my user registration url and since user
post request has to allow anonymous (to allow real user to register through the mobile app); he/she can post
many fake registrations each of which will trigger sending an email or a text message; which can be costly.
Do you have any advice on preventing such an attack? My idea is to add a custom header in my new user post
request so that I can validate this header value in each post request and if the header value is not matching a
secret then I will reject the post request. And since this is for a mobile app, it’s safe to include the secret in the
header on the client side for real user registration. Does this make sense?
Thanks.
Reply
Maybe you need to implement some sort of throttling (rate limiting) for this endpoint, check out this repo, I
think it will be better than building thing from scratch.
Reply
Hi Taiseer,
i really love your articles! They help me soooooo much, but i still got a problem
The Destination of IdentityMessage in my EmailService is always null. So i tried to get the email of the newly
created user, and “UserManager.GetEmail” always returns null too, but the user is created as i can see in the
database and his id is correct too. Do you have any idea what this can be, or do you had any issue like this before?
Reply
Reply
Hello,
I am very much enjoying this tutorial. It is helping me with the understanding i have needed, but then i run into
this error which i still can’t solve. I am still on the rst post “account management” and i get this error:
{“message”:”The request is invalid.”,”modelState”:{“”:[“Name cannot be null or empty.”]}}
I do not know where to nd the error to x it.
Please help me
Reply
using Microsoft.AspNet.Identity;
using System.Net;
using System.Net.Mail;
using System.Threading.Tasks;
namespace Myapp.Services
{
public class EmailService : IIdentityMessageService
{
public async Task SendAsync(IdentityMessage message)
{
await con gSendasync(message);
}
// Use NuGet to install SendGrid (Basic C# client lib)
private async Task con gSendasync(IdentityMessage message)
{
using (MailMessage email = new MailMessage())
{
string emailFrom = “xxxx@gmail.com”;
string password = “xxxxx”;
http://bitoftech.net/2015/02/03/asp-net-identity-2-accounts-confirmation-password-user-policy-configuration/ 36/43
14/7/2017 ASP.NET Identity 2.1 Accounts Confirmation, and Password Policy Configuration - Part 2 - Bit of Technology
Reply
Ninh says
July 14, 2016 at 6:04 am
Hi,
At that time I do this tutorial, I used Web API v2 and Net Framework 4.5. I need install SendGrid-Net40 instead of
SendGrid.
SendGrid does not have SendGridMessage Class.
Reply
clark says
July 18, 2016 at 12:56 pm
Hi Ninh,
http://bitoftech.net/2015/02/03/asp-net-identity-2-accounts-confirmation-password-user-policy-configuration/ 37/43
14/7/2017 ASP.NET Identity 2.1 Accounts Confirmation, and Password Policy Configuration - Part 2 - Bit of Technology
BIT OF TECHNOLOGY
Reply
hartmut says
November 14, 2016 at 3:36 pm
Reply
Vladimir says
July 22, 2016 at 11:21 pm
i get an error on
applicationUserManager.cs
Saying: The type or namespace name ‘AspNetIdentity’ could not be found (are you missing a using directive or an
assembly reference?)
Reply
Hello Vlad,
Make sure you are updating the packages using NuGet package manager, if this didn’t work please search the
issue on GitHub as I’m sure you will nd a detailed solution.
Reply
Hi Vladimir,
Hope you already found the solution. If not, the problem is just that here Taiseer speci es the full namespace
http://bitoftech.net/2015/02/03/asp-net-identity-2-accounts-confirmation-password-user-policy-configuration/ 38/43
14/7/2017 ASP.NET Identity 2.1 Accounts Confirmation, and Password Policy Configuration - Part 2 - Bit of Technology
of the EmailService you created before. Just remove the “AspNetIdentity.WebApi.Services.” and it should
BIT OF work
TECHNOLOGY
perfectly
Reply
Hello friend.
Thanks
Reply
Hello Fabio,
Can you show me how did you register your AppUserManager there should be soemthing missing.
Reply
LK says
March 9, 2017 at 1:32 am
2 years later and this walk-through is still extremely helpful. Bravo and thank you!
http://bitoftech.net/2015/02/03/asp-net-identity-2-accounts-confirmation-password-user-policy-configuration/ 39/43
14/7/2017 ASP.NET Identity 2.1 Accounts Confirmation, and Password Policy Configuration - Part 2 - Bit of Technology
1) When you mention changing the “Con rmEmail” route to POST, could you elaborate on how this would be
BIT done?
OF TECHNOLOGY
The only way I can fathom would be to send a link that leads to a webpage (something like
http://www.mywebsite.com/validate?userid=xxxx&code=xxxx), where the user would then be prompted to enter
the password that they just created for the account. This would effectively stop an unintended user from
validating an account by accident, that they didn’t create.
2) Seeing as these posts ARE 2 years old now, are there any major differences in implementation that you would
recommend given the current state of the .NET Identity Framework?
3) Would you still say that the .NET Identity Framework is one of the best ways to securely manage WebAPI access
by today’s standards? I want to make sure I’m not implementing / familiarizing myself with something that has
quickly fallen behind standard-wise.
Reply
Hello LK,
Thanks for your kind comment
Please nd the answers below:
1. If you need to have ultimate security work ow, asking for the password is a better approach, so you need
to include the password when you validate the code and userid/password.
2. If you are using ASP.NET 4.6 (Not ASP.NET Core) this post is very relevant, I believe I was using the latest
version of ASP.NET Identity (2.1) which is used with ASP.NET 4.6
3. Well the Identity framework is used to store your users, roles, claims, etc.. the OWIN middlewares for
Authorization are used to protect your WebAPI, I recommend always to take a look at the ThinkTecture
Identity Server if you want to learn something which is built on OAuth and OpenId connect standards and
provides you SSO, support for multiple clients, etc..
Reply
Hi,
First of all awesome work helped me a lot!!
Second there were some bugs since sendgrid is updated but i gure out error on this line
Reply
http://bitoftech.net/2015/02/03/asp-net-identity-2-accounts-confirmation-password-user-policy-configuration/ 40/43
14/7/2017 ASP.NET Identity 2.1 Accounts Confirmation, and Password Policy Configuration - Part 2 - Bit of Technology
BIT OF TECHNOLOGY
Dima says
June 6, 2017 at 10:04 pm
Reply
Reply
Leave a Reply
Your email address will not be published. Required elds are marked *
Comment
Name *
Email *
Website
POST COMMENT
http://bitoftech.net/2015/02/03/asp-net-identity-2-accounts-confirmation-password-user-policy-configuration/ 41/43
14/7/2017 ASP.NET Identity 2.1 Accounts Confirmation, and Password Policy Configuration - Part 2 - Bit of Technology
Husband, Father,
Consultant @ MSFT,
Life Time Learner...
Read More…
RECENT POSTS
BLOG ARCHIVES
http://bitoftech.net/2015/02/03/asp-net-identity-2-accounts-confirmation-password-user-policy-configuration/ 42/43
14/7/2017 ASP.NET Identity 2.1 Accounts Confirmation, and Password Policy Configuration - Part 2 - Bit of Technology
Blog Archives
Secure ASP.NET Web API 2 using Azure AD B2C – Part ASP.NET Authentication Autherization
2 Server Azure Active Directory B2C Azure AD B2C
Azure Active Directory B2C Overview and Policies basic authentication C# CacheCow Client Side Templating Code
Management – Part 1
First Dependency Injection Entity
ASP.NET Web API Claims Authorization with ASP.NET
Framework ETag Foursquare API HTTP Caching
Identity 2.1 – Part 5
HTTP Verbs IMDB API IoC Javascript jQuery JSON JSON Web
ASP.NET Identity 2.1 Roles Based Authorization with Tokens JWT Model Factory Ninject OAuth OData
ASP.NET Web API – Part 4
Pagination Resources Association Resource Server REST
RESTful Single Page Applications SPA
Token Authentication Tutorial
SEARCH
Copyright © 2017 ·eleven40 Pro Theme · Genesis Framework by StudioPress · WordPress · Log in
http://bitoftech.net/2015/02/03/asp-net-identity-2-accounts-confirmation-password-user-policy-configuration/ 43/43