Account Confirmation and Password Recovery with ASP.NET Identity (C#)
by Hao Kung, Pranav Rastogi, Rick Anderson, Suhas Joshi
Before doing this tutorial you should first complete Create a secure ASP.NET MVC 5 web app with log in, email confirmation and password reset. This tutorial contains more details and will show you how to set up email for local account confirmation and allow users to reset their forgotten password in ASP.NET Identity. This article was written by Rick Anderson ([@RickAndMSFT](https://twitter.com/#!/RickAndMSFT)), Pranav Rastogi ([@rustd](https://twitter.com/rustd)), Hao Kung, and Suhas Joshi. The NuGet sample was written primarily by Hao Kung.
A local user account requires the user to create a password for the account, and that password is stored (securely) in the web app. ASP.NET Identity also supports social accounts, which don’t require the user to create a password for the app. Social accounts use a third party (such as Google, Twitter, Facebook or Microsoft) to authenticate users. This topic covers the following:
- Create an ASP.NET MVC app and explore ASP.NET Identity features.
- Building the Identity sample
- Set up email confirmation
New users register their email alias, which creates a local account.
Clicking the Register button sends a confirmation email containing a validation token to their email address.
The user is sent an email with a confirmation token for their account.
Clicking the link confirms the account.
Password recovery/reset
Local users who forget their password can have a security token sent to their email account, enabling them to reset their password.
The user will soon get an email with a link allowing them to reset their password.
Clicking the link will take them to the Reset page.
Clicking the Reset button will confirm the password has been reset.
Create an ASP.NET Web app
Start by installing and running Visual Studio Express 2013 for Web or Visual Studio 2013. Install Visual Studio 2013 Update 2 or higher.
[!NOTE] Warning: You must install Visual Studio 2013 Update 2 to complete this tutorial.
- Create a new ASP.NET Web project and select the MVC template. Web Forms also supports ASP.NET Identity, so you could follow similar steps in a web forms app.
- Leave the default authentication as Individual User Accounts.
- Run the app, click the Register link and register a user. At this point, the only validation on the email is with the [EmailAddress] attribute.
In Server Explorer, navigate to **Data Connections*, right click and select Open table definition.
The following image shows the
AspNetUsers
schema:Right click on the AspNetUsers table and select Show Table Data.
At this point the email has not been confirmed.
The default data store for ASP.NET Identity is Entity Framework, but you can configure it to use other data stores and to add additional fields. See Additional Resources section at the end of this tutorial.
The OWIN startup class ( Startup.cs ) is called when the app starts and invokes the ConfigureAuth
method in App_Start.Auth.cs, which configures the OWIN pipeline and initializes ASP.NET Identity. Examine the ConfigureAuth
method. Each CreatePerOwinContext
call registers a callback (saved in the OwinContext
) that will be called once per request to create an instance of the specified type. You can set a break point in the constructor and Create
method of each type (ApplicationDbContext, ApplicationUserManager
) and verify they are called on each request. A instance of ApplicationDbContext
and ApplicationUserManager
is stored in the OWIN context, which can be accessed throughout the application. ASP.NET Identity hooks into the OWIN pipeline through cookie middleware. For more information, see Per request lifetime management for UserManager class in ASP.NET Identity.
When you change your security profile, a new security stamp is generated and stored in the SecurityStamp
field of the AspNetUsers table. Note, the SecurityStamp
field is different from the security cookie. The security cookie is not stored in the AspNetUsers
table (or anywhere else in the Identity DB). The security cookie token is self-signed using DPAPI and is created with the UserId, SecurityStamp
and expiration time information.
The cookie middleware checks the cookie on each request. The SecurityStampValidator
method in the Startup
class hits the DB and checks security stamp periodically, as specified with the validateInterval
. This only happens every 30 minutes (in our sample) unless you change your security profile. The 30 minute interval was chosen to minimize trips to the database. See my two-factor authentication tutorial for more details.
Per the comments in the code, the UseCookieAuthentication
method supports cookie authentication. The SecurityStamp
field and associated code provides an extra layer of security to your app, when you change your password, you will be logged out of the browser you logged in with. The SecurityStampValidator.OnValidateIdentity
method enables the app to validate the security token when the user logs in, which is used when you change a password or use the external login. This is needed to ensure that any tokens (cookies) generated with the old password are invalidated. In the sample project, if you change the users password then a new token is generated for the user, any previous tokens are invalidated and the SecurityStamp
field is updated.
The Identity system allow you to configure your app so when the users security profile changes (for example, when the user changes their password or changes associated login (such as from Facebook, Google, Microsoft account, etc.), the user is logged out of all browser instances. For example, the image below shows the Single signout sample app, which allows the user to sign out of all browser instances (in this case, IE, Firefox and Chrome) by clicking one button. Alternatively, the sample allows you to only log out of a specific browser instance.
The Single signout sample app shows how ASP.NET Identity allows you to regenerate the security token. This is needed to ensure that any tokens (cookies) generated with the old password are invalidated. This feature provides an extra layer of security to your application; when you change your password, you will be logged out where you have logged into this application.
The App_Start.cs file contains the ApplicationUserManager
, EmailService
and SmsService
classes. The EmailService
and SmsService
classes each implement the IIdentityMessageService
interface, so you have common methods in each class to configure email and SMS. Although this tutorial only shows how to add email notification through SendGrid, you can send email using SMTP and other mechanisms.
The Startup
class also contains boiler plate to add social logins (Facebook, Twitter, etc.), see my tutorial MVC 5 App with Facebook, Twitter, LinkedIn and Google OAuth2 Sign-on for more info.
Examine the ApplicationUserManager
class, which contains the users identity information and configures the following features:
- Password strength requirements.
- User lock out (attempts and time).
- Two-factor authentication (2FA). I’ll cover 2FA and SMS in another tutorial.
- Hooking up the email and SMS services. (I’ll cover SMS in another tutorial).
The ApplicationUserManager
class derives from the generic UserManager<ApplicationUser>
class. ApplicationUser
derives from IdentityUser. IdentityUser
derives from the generic IdentityUser
class:
[!code-csharpMain]
1: // Default EntityFramework IUser implementation
2: public class IdentityUser<TKey, TLogin, TRole, TClaim> : IUser<TKey>
3: where TLogin : IdentityUserLogin<TKey>
4: where TRole : IdentityUserRole<TKey>
5: where TClaim : IdentityUserClaim<TKey>
6: {
7: public IdentityUser()
8: {
9: Claims = new List<TClaim>();
10: Roles = new List<TRole>();
11: Logins = new List<TLogin>();
12: }
13:
14: /// User ID (Primary Key)
15: public virtual TKey Id { get; set; }
16:
17: public virtual string Email { get; set; }
18: public virtual bool EmailConfirmed { get; set; }
19:
20: public virtual string PasswordHash { get; set; }
21:
22: /// A random value that should change whenever a users credentials have changed (password changed, login removed)
23: public virtual string SecurityStamp { get; set; }
24:
25: public virtual string PhoneNumber { get; set; }
26: public virtual bool PhoneNumberConfirmed { get; set; }
27:
28: public virtual bool TwoFactorEnabled { get; set; }
29:
30: /// DateTime in UTC when lockout ends, any time in the past is considered not locked out.
31: public virtual DateTime? LockoutEndDateUtc { get; set; }
32:
33: public virtual bool LockoutEnabled { get; set; }
34:
35: /// Used to record failures for the purposes of lockout
36: public virtual int AccessFailedCount { get; set; }
37:
38: /// Navigation property for user roles
39: public virtual ICollection<TRole> Roles { get; private set; }
40:
41: /// Navigation property for user claims
42: public virtual ICollection<TClaim> Claims { get; private set; }
43:
44: /// Navigation property for user logins
45: public virtual ICollection<TLogin> Logins { get; private set; }
46:
47: public virtual string UserName { get; set; }
48: }
The properties above coincide with the properties in the AspNetUsers
table, shown above.
Generic arguments on IUser
enable you to derive a class using different types for the primary key. See the ChangePK sample which shows how to change the primary key from string to int or GUID.
ApplicationUser
ApplicationUser
(public class ApplicationUserManager : UserManager<ApplicationUser>
) is defined in Models.cs as:
[!code-csharpMain]
1: public class ApplicationUser : IdentityUser
2: {
3: public async Task<ClaimsIdentity> GenerateUserIdentityAsync(
4: UserManager<ApplicationUser> manager)
5: {
6: // Note the authenticationType must match the one defined in
7: // CookieAuthenticationOptions.AuthenticationType
8: var userIdentity = await manager.CreateIdentityAsync(this,
9: DefaultAuthenticationTypes.ApplicationCookie);
10: // Add custom user claims here
11: return userIdentity;
12: }
13: }
The highlighted code above generates a ClaimsIdentity. ASP.NET Identity and OWIN Cookie Authentication are claims-based, therefore the framework requires the app to generate a ClaimsIdentity
for the user. ClaimsIdentity
has information about all the claims for the user, such as the user’s name, age and what roles the user belongs to. You can also add more claims for the user at this stage.
The OWIN AuthenticationManager.SignIn
method passes in the ClaimsIdentity
and signs in the user:
[!code-csharpMain]
1: private async Task SignInAsync(ApplicationUser user, bool isPersistent)
2: {
3: AuthenticationManager.SignOut(DefaultAuthenticationTypes.ExternalCookie);
4: AuthenticationManager.SignIn(new AuthenticationProperties(){
5: IsPersistent = isPersistent },
6: await user.GenerateUserIdentityAsync(UserManager));
7: }
MVC 5 App with Facebook, Twitter, LinkedIn and Google OAuth2 Sign-on shows how you can add additional properties to the ApplicationUser
class.
Email confirmation
It’s a good idea to confirm the email a new user register with to verify they are not impersonating someone else (that is, they haven’t registered with someone else’s email). Suppose you had a discussion forum, you would want to prevent "bob@example.com"
from registering as "joe@contoso.com"
. Without email confirmation, "joe@contoso.com"
could get unwanted email from your app. Suppose Bob accidently registered as "bib@example.com"
and hadn’t noticed it, he wouldn’t be able to use password recover because the app doesn’t have his correct email. Email confirmation provides only limited protection from bots and doesn’t provide protection from determined spammers, they have many working email aliases they can use to register.In the sample below, the user won’t be able to change their password until their account has been confirmed (by them clicking on a confirmation link received on the email account they registered with.) You can apply this work flow to other scenarios, for example sending a link to confirm and reset the password on new accounts created by the administrator, sending the user an email when they have changed their profile and so on. You generally want to prevent new users from posting any data to your web site before they have been confirmed by email, a SMS text message or another mechanism.
Building a more complete sample
In this section, you’ll use NuGet to download a more complete sample we will work with.
- Create a new empty ASP.NET Web project.
In the Package Manager Console, enter the following the following commands:
[!code-consoleMain]
1: Install-Package SendGrid
2: Install-Package -Prerelease Microsoft.AspNet.Identity.Samples
In this tutorial, we’ll use SendGrid to send email. The Identity.Samples
package installs the code we will be working with. 3. Set the project to use SSL. 4. Test local account creation by running the app, clicking on the Register link, and posting the registration form. 5. Click the demo email link, which simulates email confirmation. 6. Remove the demo email link confirmation code from the sample (The ViewBag.Link
code in the account controller. See the DisplayEmail
and ForgotPasswordConfirmation
action methods and razor views ).
[!NOTE] Warning: If you change any of the security settings in this sample, productions apps will need to undergo a security audit that explicitly calls the changes made.
Examine the code in App_Start.cs
The sample shows how to create an account and add it to the Admin role. You should replace the email in the sample with the email you will be using for the admin account. The easiest way right now to create an administrator account is programmatically in the Seed
method. We hope to have a tool in the future that will allow you to create and administer users and roles. The sample code does let you create and manage users and roles, but you must first have an administrators account to run the roles and user admin pages. In this sample, the admin account is created when the DB is seeded.
Change the password and change the name to an account where you can receive email notifications.
[!WARNING] Security - Never store sensitive data in your source code.
As mentioned previously, the app.CreatePerOwinContext
call in the startup class adds callbacks to the Create
method of the app DB content, user manager and role manger classes. The OWIN pipeline calls the Create
method on these classes for each request and stores the context for each class. The account controller exposes the user manager from the HTTP context (which contains the OWIN context):
[!code-csharpMain]
1: public ApplicationUserManager UserManager
2: {
3: get
4: {
5: return _userManager ??
6: HttpContext.GetOwinContext().GetUserManager<ApplicationUserManager>();
7: }
8: private set
9: {
10: _userManager = value;
11: }
12: }
When a user registers a local account, the HTTP Post Register
method is called:
[!code-csharpMain]
1: [HttpPost]
2: [AllowAnonymous]
3: [ValidateAntiForgeryToken]
4: public async Task<ActionResult> Register(RegisterViewModel model)
5: {
6: if (ModelState.IsValid)
7: {
8: var user = new ApplicationUser { UserName = model.Email, Email = model.Email };
9: var result = await UserManager.CreateAsync(user, model.Password);
10: if (result.Succeeded)
11: {
12: var code = await UserManager.GenerateEmailConfirmationTokenAsync(user.Id);
13: var callbackUrl = Url.Action(
14: "ConfirmEmail", "Account",
15: new { userId = user.Id, code = code },
16: protocol: Request.Url.Scheme);
17:
18: await UserManager.SendEmailAsync(user.Id,
19: "Confirm your account",
20: "Please confirm your account by clicking this link: <a href=\""
21: + callbackUrl + "\">link</a>");
22: // ViewBag.Link = callbackUrl; // Used only for initial demo.
23: return View("DisplayEmail");
24: }
25: AddErrors(result);
26: }
27:
28: // If we got this far, something failed, redisplay form
29: return View(model);
30: }
The code above uses the model data to create a new user account using the email and password entered. If the email alias is in the data store, account creation fails and the form is displayed again. The GenerateEmailConfirmationTokenAsync
method creates a secure confirmation token and stores it in the ASP.NET Identity data store. The Url.Action method creates a link containing the UserId
and confirmation token. This link is then emailed to the user, the user can click on the link in their email app to confirm their account.
Set up email confirmation
Go to the Azure SendGrid sign up page and register for free account. Add code similar to the following to configure SendGrid:
[!code-csharpMain]
1: public class EmailService : IIdentityMessageService
2: {
3: public Task SendAsync(IdentityMessage message)
4: {
5: return configSendGridasync(message);
6: }
7:
8: private Task configSendGridasync(IdentityMessage message)
9: {
10: var myMessage = new SendGridMessage();
11: myMessage.AddTo(message.Destination);
12: myMessage.From = new System.Net.Mail.MailAddress(
13: "Joe@contoso.com", "Joe S.");
14: myMessage.Subject = message.Subject;
15: myMessage.Text = message.Body;
16: myMessage.Html = message.Body;
17:
18: var credentials = new NetworkCredential(
19: ConfigurationManager.AppSettings["mailAccount"],
20: ConfigurationManager.AppSettings["mailPassword"]
21: );
22:
23: // Create a Web transport for sending email.
24: var transportWeb = new Web(credentials);
25:
26: // Send the email.
27: if (transportWeb != null)
28: {
29: return transportWeb.DeliverAsync(myMessage);
30: }
31: else
32: {
33: return Task.FromResult(0);
34: }
35: }
36: }
[!NOTE] Email clients frequently accept only text messages (no HTML). You should provide the message in text and HTML. In the SendGrid sample above, this is done with the
myMessage.Text
andmyMessage.Html
code shown above.
The following code shows how to send email using the MailMessage class where message.Body
returns only the link.
[!code-csharpMain]
1: void sendMail(Message message)
2: {
3: #region formatter
4: string text = string.Format("Please click on this link to {0}: {1}", message.Subject, message.Body);
5: string html = "Please confirm your account by clicking this link: <a href=\"" + message.Body + "\">link</a><br/>";
6:
7: html += HttpUtility.HtmlEncode(@"Or click on the copy the following link on the browser:" + message.Body);
8: #endregion
9:
10: MailMessage msg = new MailMessage();
11: msg.From = new MailAddress("joe@contoso.com");
12: msg.To.Add(new MailAddress(message.Destination));
13: msg.Subject = message.Subject;
14: msg.AlternateViews.Add(AlternateView.CreateAlternateViewFromString(text, null, MediaTypeNames.Text.Plain));
15: msg.AlternateViews.Add(AlternateView.CreateAlternateViewFromString(html, null, MediaTypeNames.Text.Html));
16:
17: SmtpClient smtpClient = new SmtpClient("smtp.gmail.com", Convert.ToInt32(587));
18: System.Net.NetworkCredential credentials = new System.Net.NetworkCredential("joe@contoso.com", "XXXXXX");
19: smtpClient.Credentials = credentials;
20: smtpClient.EnableSsl = true;
21: smtpClient.Send(msg);
22: }
[!WARNING] Security - Never store sensitive data in your source code. The account and credentials are stored in the appSetting. On Azure, you can securely store these values on the Configure tab in the Azure portal. See Best practices for deploying passwords and other sensitive data to ASP.NET and Azure.
Enter your SendGrid credentials, run the app, register with an email alias can click the confirm link in your email. To see how to do this with your Outlook.com email account, see John Atten’s C# SMTP Configuration for Outlook.Com SMTP Host and hisASP.NET Identity 2.0: Setting Up Account Validation and Two-Factor Authorization posts.
Once a user clicks the Register button a confirmation email containing a validation token is sent to their email address.
The user is sent an email with a confirmation token for their account.
Examine the code
The following code shows the POST ForgotPassword
method.
[!code-csharpMain]
1: public async Task<ActionResult> ForgotPassword(ForgotPasswordViewModel model)
2: {
3: if (ModelState.IsValid)
4: {
5: var user = await UserManager.FindByNameAsync(model.Email);
6: if (user == null || !(await UserManager.IsEmailConfirmedAsync(user.Id)))
7: {
8: // Don't reveal that the user does not exist or is not confirmed
9: return View("ForgotPasswordConfirmation");
10: }
11:
12: var code = await UserManager.GeneratePasswordResetTokenAsync(user.Id);
13: var callbackUrl = Url.Action("ResetPassword", "Account",
14: new { UserId = user.Id, code = code }, protocol: Request.Url.Scheme);
15: await UserManager.SendEmailAsync(user.Id, "Reset Password",
16: "Please reset your password by clicking here: <a href=\"" + callbackUrl + "\">link</a>");
17: return View("ForgotPasswordConfirmation");
18: }
19:
20: // If we got this far, something failed, redisplay form
21: return View(model);
22: }
The method fails silently if the user email has not been confirmed. If an error was posted for an invalid email address, malicious users could use that information to find valid userId (email aliases) to attack.
The following code shows the ConfirmEmail
method in the account controller that is called when the user clicks the confirmation link in the email sent to them:
[!code-csharpMain]
1: public async Task<ActionResult> ConfirmEmail(string userId, string code)
2: {
3: if (userId == null || code == null)
4: {
5: return View("Error");
6: }
7: var result = await UserManager.ConfirmEmailAsync(userId, code);
8: if (result.Succeeded)
9: {
10: return View("ConfirmEmail");
11: }
12: AddErrors(result);
13: return View();
14: }
Once a forgotten password token has been used, it’s invalidated. The following code change in the Create
method (in the App_Start.cs file) sets the tokens to expire in 3 hours.
[!code-csharpMain]
1: if (dataProtectionProvider != null)
2: {
3: manager.UserTokenProvider =
4: new DataProtectorTokenProvider<ApplicationUser>
5: (dataProtectionProvider.Create("ASP.NET Identity"))
6: {
7: TokenLifespan = TimeSpan.FromHours(3)
8: };
9: }
With the code above, the forgotten password and the email confirmation tokens will expire in 3 hours. The default TokenLifespan
is one day.
The following code shows the email confirmation method:
[!code-csharpMain]
1: // GET: /Account/ConfirmEmail
2: [AllowAnonymous]
3: public async Task<ActionResult> ConfirmEmail(string userId, string code)
4: {
5: if (userId == null || code == null)
6: {
7: return View("Error");
8: }
9: IdentityResult result;
10: try
11: {
12: result = await UserManager.ConfirmEmailAsync(userId, code);
13: }
14: catch (InvalidOperationException ioe)
15: {
16: // ConfirmEmailAsync throws when the userId is not found.
17: ViewBag.errorMessage = ioe.Message;
18: return View("Error");
19: }
20:
21: if (result.Succeeded)
22: {
23: return View();
24: }
25:
26: // If we got this far, something failed.
27: AddErrors(result);
28: ViewBag.errorMessage = "ConfirmEmail failed";
29: return View("Error");
30: }
To make your app more secure, ASP.NET Identity supports Two-Factor authentication (2FA). See ASP.NET Identity 2.0: Setting Up Account Validation and Two-Factor Authorization by John Atten. Although you can set account lockout on login password attempt failures, that approach makes your login susceptible to DOS lockouts. We recommend you use account lockout only with 2FA.
Additional Resources
- Overview of Custom Storage Providers for ASP.NET Identity
- MVC 5 App with Facebook, Twitter, LinkedIn and Google OAuth2 Sign-on also shows how to add profile information to the users table.
- ASP.NET MVC and Identity 2.0: Understanding the Basics by John Atten.
- Introduction to ASP.NET Identity
- Announcing RTM of ASP.NET Identity 2.0.0 by Pranav Rastogi.
|