Where is the information about the authorization token stored on the ASP.NET WEB API server?

Question

In my Web Api 2 Identity 2 application after user registration I have a single record in single table: AspNetUsers. I use the following http request to get token:

Answer 1

1) Tokens are not stored anywhere in the database or local storage. That means tokens are not storing anywhere in the server.

2) Actually, password reset tokens are generated using the SecurityStamp and validating against the SecurityStamp of the user. Tokens are not expire unless you haven't set up expire time or updated SecurityStamp of that user.

Expire time can be set on userManager properties on your identity configuration class. Following example shows token lifetime with 1 hour. Check this article.

 if (dataProtectionProvider != null)
 {
    manager.UserTokenProvider =
       new DataProtectorTokenProvider<ApplicationUser>
          (dataProtectionProvider.Create("ASP.NET Identity"))
          {                    
             TokenLifespan = TimeSpan.FromHours(1)
          };
 }

You can use your own mechanism to check token's have previously used.

3) Update the SecurityStamp. This will invalidate all tokens issued for that user, including cookies as well. It would be better to use your own idea to make expire password reset tokens.

As a example you could use another column to store any generated password reset tokens in database and validate it (There may be better way to do it).

Keep in mind that the login access_token generated differently and it has expire time which you have set in Owin startup bearer token expire time.

Hope this helps.