Manually validating a password reset token in ASP.NET Identity

Question

I would like to manually validate a password reset token in ASP.NET Identity 2.0. I\'m trying to create my own version of UserManager.ResetPasswordAsync(string userId, str

Answer 1

I overcame my problem by setting the purpose to "ResetPassword".

Below is a snippet of the final result in case someone wants to do something similar. It is a method in my ApplicationUserManager class. Realize, though, that some of the exception handling that Microsoft implements is missing or not localized because certain private variables, methods, and resources used in their code are inaccessible. It's unfortunate they did not make that stuff protected so that I could have gotten at it. The missing ThrowIfDisposed method call in particular is interesting (and bazaar) to me. Apparently they are anticipating method calls after an instance has been disposed in order to provide a friendlier error message and avoid the unexpected.

public async Task<IdentityResult> ResetPasswordAsync(IdentityUser user,
    string token, string newPassword)
{
    if (user == null)
    {
        throw new ArgumentNullException("user");
    }

    // Make sure the token is valid and the stamp matches.
    if (!await UserTokenProvider.ValidateAsync("ResetPassword", token, 
        this, user))
    {
        return IdentityResult.Failed("Invalid token.");
    }

    // Make sure the new password is valid.
    var result = await PasswordValidator.ValidateAsync(newPassword)
        .ConfigureAwait(false);
    if (!result.Succeeded)
    {
        return result;
    }

    // Update the password hash and invalidate the current security stamp.
    user.PasswordHash = PasswordHasher.HashPassword(newPassword);
    user.SecurityStamp = Guid.NewGuid().ToString();

    // Save the user and return the outcome.
    return await UpdateAsync(user).ConfigureAwait(false);
}

Answer 2

It appears that the code for Microsoft.AspNet.Identity has not been Open Sourced according to the Codeplex repository located at:

https://aspnetidentity.codeplex.com/SourceControl/latest#Readme.markdown

At present, the ASP.NET Identity framework code is not public and therefore will not be published on this site. However, we are planning to change that, and as soon as we are able, the code will be published in this repository.

However I did find this which might be the source for the UserManager based on the debug symbols:

UserManager Source Code

I also found these posts which might help:

Implementing custom password policy using ASP.NET Identity

UserManager Class Documentation

IUserTokenProvider Interface Documentation