I am following the tutortial for .Net core Account and password recovery and I am not sure how things work. The tutorial says to add the email service in startup.cs then everything just started to work. I have no idea where the forgot password page is located, it not with the other pages, I checked hidden files and the actual directory it self (see image), yet I am being redirected there from the reset password link. I have no idea how the email service is being called yet I can set a break point and see that it is being hit with the correct data. I can see the sql query used to get the user information. Is this functionality managed by core identity?
I have no idea where the forgot password page is located, it not with the other pages
You need Scaffold Identity in your ASP.NET Core project.
That means you need to add the pages you need through Scaffold Identity: ForgotPassword, ForgotPasswordConfirmation, ResetPassword, ResetPasswordConfirmation.
Scaffold Identity in ASP.NET Core projects
I have no idea how the email service is being called yet I can set a break point and see that it is being hit with the correct data.
Is this functionality managed by core identity?
IEmailSender is in the package ASP.NET Core Identity.UI, with the default implementation injected in DI that doesn't do anything.
I will explain in detail below how to send an email to reset the password. You can read the process of resetting the password first to the last.
In other words, you need to Implement IEmailSender.
In the link you gave, it has been given in detail how to implement IEmailSender.
In the example, SendGrid email provider is used. You can also choose other email providers.
You need to register a SendGrid account first, then create an API Key, and store your SendGrid information in appsettings.json.
You can create an API Key as follows.
appsettings.json:
SendGridUser:
It’s the account you registered with SendGird. For example, I registered with the email xxx.test.com, and SendGridUser is xxx.test.com.
SendGridKey:
This is the API Key mentioned above.
{
... ...
"AllowedHosts": "*",
"SendGridUser": "xxxx",
"SendGridKey": "xxxxx"
}
The process of resetting the password can be briefly summarized as follows:
Request the ForgotPassword page after clicking the link to reset the password
Enter your email address to reset the password
If the email address you need to reset your password exists and has been confirmed, then the method OnPostAsync in ForgotPassword will send an email to your email address.
If you set a breakpoint in the Execute method in the implementation class EmailSender of IEmailSender, you can see the result of the email sent.
You can open your mailbox to see the link to reset the password you received, then enter the reset password and submit the form.
After the form is successfully submitted, it will request the OnPostAsync method of ResetPassword, and the processing will be redirected to the ResetPasswordConfirmation page.
Result
Related
I've been having this problem getting UserClaims from the ASP.Net auth database to be actually included in the auth cookie that gets set on the client, and subsequently I can't use the claim in my access control Authorize attributes on the API controller.
Reproduce, minimal code example
VS 2022 Create new project from template ASP.Net Core With Angular
using .NET 5.0 and Authentication type as Individual Accounts
Do command dotnet ef database update to create the default auth
database.
Build and Run the app, create user and log in.
Check the "Fetch data" page, to see the API fetch in action.
In the newly created auth database, add a claim to the
AspNetUserClaims table, with the "role" schema, similar to
Id
UserId
ClaimType
ClaimValue
1
0282683c-47c2-4ac1-976c-74db0b34bcff
http://schemas.microsoft.com/ws/2008/06/identity/claims/role
IAmTheWallrus
Log out from the web app
In the WeatherForcastController, change [Authorize] to
[Authorize(Roles = "IAmTheWallrus")] (I have to stop and rebuild,
but that's another problem).
(Run and) Login to the app, try to open the Fetch data page now.
I just get a Loading... on the page and a 403 Forbidden in the console.
In fact, if I inspect the cookie for the session I don't see this new IAmTheWallrus claim anywhere.
Now, I admit, I'm not very familiar with the auth cookie stuff, but from what I understand, the "role" should be added to the cookie, so it would be visible in the cookie inspector in Firefox, for example, or viewable at https://jwt.io/
The example above is just a minimal working code sample, I'm actually running my app with the Scaffolded code for the Auth pages, where I've done as the instructions say:
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/social/additional-claims?view=aspnetcore-5.0#add-and-update-user-claims.
Specifically adding the _userManager.AddClaimAsync and _signInManager.RefreshSignInAsync(user); stuff. I've been trying for a while now, different aspects of that instructions page going back and forth, but I can't get my claims to do anything more than appear in this table in the database, they are seemingly never added to the actual cookie so I can't use them to access control my API endpoints.
What am I doing wrong?
I have a requirement to prevent users from logging in to my ASP.NET Web API 2.0 Identity 3.0 backed website until an administrative account "activates" a user's confirmed registered ApplicationUser account.
I have implemented the EmailConfirmed logic to validate that the ApplicationUser account was registered with a working email address. Now I'm looking for an appropriate place to implement a check against the ApplicationUser.Activated property, that I have added, with behavior that prevents a login unless it has been set to true.
I've dug a little bit into the OAuthAuthorizationServerProvider class but I think I'm going to have to really take some time and understand OAuth 2.0 to get anywhere in there. Could anyone make a suggestion as to how and where to implement a test against an Activated property like this?
PS - I'm using bearer token authentication if that was not obvious.
Do one thing when user click on activation link which you send to the user .after click on that link redirect to page where you show one message "You are successfully resgistered" and on the page load you call to database and set activate column is true and put timer on that page and redirect user to login page.during login you can check the user status with email and password .if status is true that mean its registered user.
hope it will help.
I have setup a quick page to accept an email address which will send an email to it which will later contain a link to reset password or a new temporary one.
My project is a new ASP .Net MVC project using Identity. I thought the best way to reset it would be to send a link to the email which when clicked allows the user to enter a new one but then I'm not sure what to put on the page the link is directed to, to allow this functionality and keep the site secure.
Is it simply easiest in this case to send a new temporary one?
This was too long to fit in a comment so hopefully I don't get downvoted without actual code examples :O
A common solution that I've seen:
When a user requests a password reset, record a guid/random hash and expiration datetime to the user's information in your user store (db most likely).
An email with a link to a temporary page is sent to the user's email address on file (this solution does require a valid email address).
Once the temporary page is hit, the link can be set to immediately expire (set the expiration date to datetime.now, or remove the guid/hash from the user info, etc).
This temporary page URL would likely have the guid/hash for the recorded user in the query string, so it should be pretty hard to find without having the link in the email. For added security, the user can be required to put in the username/email that requested the password reset (as there should potentially be no mention of usernames/passwords on the page. Once this validation is done (or not) give the user the appropriate fields to reset their password.
Another final note on the "forgot password link" don't provide any information on whether or not a username "does not exist" as this can give the potential of finding valid user names on your site.
EDIT:
here's a previous stack overflow question that might explain it better than I did (don't look at the "accepted" answer, look at the most upvoted answer. :)
Generate temporary URL to reset password
You can find a complete sample that uses "Forgot password" functionality in the prerelease version of "Microsoft ASP.NET Identity Samples 2.1.0-alpha1" NuGet package.
Steps
Create Empty Web Application project
Install sample project: Install-Package Microsoft.AspNet.Identity.Samples -Pre
Start the application and register a new user.
Go to Log in page an click on "Forgot password". Then add the recent registered user e-mail.
Then, you will be able to debug the application checking the "Forgot password" process.
This link here lists model class and view class properties to change in order to prompt the user for email and password log in, rather than the default username and password required by Asp.NET Identity Authentication. However, it does not demonstrate how to remove the requirement of creating a username upon registration for the user in Identity.
Can someone point me to a resource that would allow me to completely remove the username requirement from Identity Authentication? I don't want my users to have to complete this extraneous step.
UPDATE::
according to this example here on Identity email-authentication, installing the Visual Studio 2013 Update 2 allows users to complete registration with email, and NOT username:
Big yay.
The best way would be to create your own custom user validator. With a custom validator you can write your own logic to check if a user name is valid (in your case if the user name is an email address). This approach does not remove the user name from Identity, but it ensures that your user name is a valid email address.
An example how to implement one can be found here. Be aware that this solution was built upon Identity 1.0. Nevertheless, it should work the same way.
BTW, your link points to Simple Membership (as mentioned by #Anthony), not ASP.NET Identity as mentioned in the rest of your question.
EDIT
As mentioned in the comments, here's the answer again:
I haven't tried it yet, but I would guess that it is not possible when you're using the Entity Framework implementation. There the implementation uses the IdentityUser class which implements the IUser interface from Identity. Even the IUser interface contains a user name property.
UPDATE::
according to this example here on Identity email-authentication, installing the Visual Studio 2013 Update 2 allows (using MVC web template) users to complete registration with email, and NOT username:
Big yay.
Could someone explain to me how to send a verification email, without using asp.net usercreation wizard, i want it so that when the email is sent, it will contain a url link to activate an account
First Add a field to Users table called RegisterGuidId with type uniqueidentifier
Second after registration send a normal email to user with link to your activation page with new generated RegisterGuidId
Third after user redirected to you activation page use the generated guid to get user data from database
Basically what you need to do is, when the user registers generate a hash that is specific to the user (ideally something that can't be predicted by the bad guys) -> send this hash to the email that the user provided.
If you get a request with the url/hash that means he verified his account.
That's the basic idea anyway.