Api Rest

14/7/2017 ASP.NET Identity 2.
1 Accounts Confirmation, and Password Policy Configuration - Part 2 - Bit of Technology
BIT OF TECHNOLOGY
ARCHIVE ABOUT ME SPEAKING CONTACT
ASP.NET Identity 2.1 Accounts Con rmation, and Password

Policy Con guration – Part 2
February 3, 2015 By Taiseer Joudeh — 100 Comments
Be Sociable, Share!
Share 16 Tweet Share 11 7  Email
This is the second part of Building Simple Membership system using ASP.NET Identity 2.1, ASP.NET Web API
2.2 and AngularJS. The topics we’ll cover are:
Con gure ASP.NET Identity with ASP.NET Web API (Accounts Management) – Part 1.
ASP.NET Identity 2.1 Accounts Con rmation, and Password/User Policy Con guration – (This Post)
Implement OAuth JSON Web Tokens Authentication in ASP.NET Web API and Identity 2.1 – Part 3
ASP.NET Identity 2.1 Roles Based Authorization with ASP.NET Web API – Part 4
ASP.NET Web API Claims Authorization with ASP.NET Identity 2.1 – Part 5
AngularJS Authentication and Authorization with ASP.NET Web API and Identity 2.1 – Part 6
The source code for this tutorial is available on GitHub.
ASP.NET Identity 2.1 Accounts Con rmation, and Password/User Policy

Con guration
In this post we’ll complete on top of what we’ve already built, and we’ll cover the below topics:
Send Con rmation Emails after Account Creation.

Con gure User (Username, Email) and Password policy.
Enable Changing Password and Deleting Account.
1 . Send Con rmation Emails after Account Creation

ASP.NET Identity 2.1 users table (AspNetUsers) comes by default with a Boolean column named
“EmailCon rmed”, this column is used to ag if the email provided by the registered user is valid and belongs
to this user in other words that user can access the email provided and he is not impersonating another
identity. So our membership system should not allow users without valid email address to log into the
system.
The scenario we want to implement that user will register in the system, then a con rmation email will be
sent to the email provided upon the registration, this email will include an activation link and a token (code)
http://bitoftech.net/2015/02/03/asp-net-identity-2-accounts-confirmation-password-user-policy-configuration/ 1/43
14/7/2017 ASP.NET Identity 2.1 Accounts Confirmation, and Password Policy Configuration - Part 2 - Bit of Technology
which is tied to this user only and valid for

BIT OFperiod.
certain TECHNOLOGY
Once the user opens this email and clicks on

the activation link, and if the token (code) is
valid the eld “EmailCon rmed” will be set
to “true” and this proves that the email
belongs to the registered user.
To do so we need to add a service which is

responsible to send emails to users, in my
case I’ll use Send Grid which is service
provider for sending emails, but you can use
any other service provider or your exchange change server to do this. If you want to follow along with this
tutorial you can create a free account with Send Grid which provides you with 400 email per day, pretty
good!
1.1 Install Send Grid

Now open Package Manager Console and type the below to install Send Grid package, this is not required
step if you want to use another email service provider. This packages contains Send Grid APIs which makes
sending emails very easy:
1 install-package Sendgrid
1.2 Add Email Service

Now add new folder named “Services” then add new class named “EmailService” and paste the code below:
1 public class EmailService : IIdentityMessageService

2 {
3 public async Task SendAsync(IdentityMessage message)
4 {
5 await configSendGridasync(message);
6 }
7
8 // Use NuGet to install SendGrid (Basic C# client lib)
9 private async Task configSendGridasync(IdentityMessage message)
10 {
11 var myMessage = new SendGridMessage();
12
13 myMessage.AddTo(message.Destination);
14 myMessage.From = new System.Net.Mail.MailAddress("taiseer@bitoftech.net", "Taiseer Joudeh");
15 myMessage.Subject = message.Subject;
16 myMessage.Text = message.Body;
17 myMessage.Html = message.Body;
18
19 var credentials = new NetworkCredential(ConfigurationManager.AppSettings["emailService:Account"],
20 ConfigurationManager.AppSettings["emailService:Password"]);
21
22 // Create a Web transport for sending email.
23 var transportWeb = new Web(credentials);
24
25 // Send the email.
26 if (transportWeb != null)
27 {
28 await transportWeb.DeliverAsync(myMessage);
29 }
30 else
31 {
32 //Trace.TraceError("Failed to create Web transport.");
33 await Task.FromResult(0);
BIT OF TECHNOLOGY
34 }
35 }
36 }
What worth noting here that the class “EmailService” implements the interface “IIdentityMessageService”,
this interface can be used to con gure your service to send emails or SMS messages, all you need to do is to
implement your email or SMS Service in method “SendAsync” and your are good to go.
In our case we want to send emails, so I’ve implemented the sending process using Send Grid in method
“con gSendGridasync”, all you need to do is to replace the sender name and address by yours, as well do not
forget to add 2 new keys named “emailService:Account” and “emailService:Password” as AppSettings to store
Send Grid credentials.
After we con gured the “EmailService”, we need to hock it with our Identity system, and this is very simple
step, open le “ApplicationUserManager” and inside method “Create” paste the code below:
1 public static ApplicationUserManager Create(IdentityFactoryOptions<ApplicationUserManager> options, IOwinContext context

2 {
3 //Rest of code is removed for clarity
4 appUserManager.EmailService = new AspNetIdentity.WebApi.Services.EmailService();
5
6 var dataProtectionProvider = options.DataProtectionProvider;
7 if (dataProtectionProvider != null)
8 {
9 appUserManager.UserTokenProvider = new DataProtectorTokenProvider<ApplicationUser>(dataProtectionProvider.Create
10 {
11 //Code for email confirmation and reset password life time
12 TokenLifespan = TimeSpan.FromHours(6)
13 };
14 }
15
16 return appUserManager;
17 }
As you see from the code above, the “appUserManager” instance contains property named “EmailService”
which you set it the class we’ve just created “EmailService”.
Note: There is another property named “SmsService” if you would like to use it for sending SMS
messages instead of emails.
Notice how we are setting the expiration time for the code (token) send by the email to 6 hours, so if the
user tried to open the con rmation email after 6 hours from receiving it, the code will be invalid.
1.3 Send the Email after Account Creation

Now the email service is ready and we can start sending emails after successful account creation, to do so
we need to modify the existing code in the method “CreateUser” in controller “AccountsController“, so open
le “AccountsController” and paste the code below at the end of the method:
1 //Rest of code is removed for brevity

2
3 string code = await this.AppUserManager.GenerateEmailConfirmationTokenAsync(user.Id);
4
5 var callbackUrl = new Uri(Url.Link("ConfirmEmailRoute", new { userId = user.Id, code = code }));
6
7 await this.AppUserManager.SendEmailAsync(user.Id,"Confirm your account", "Please confirm your account by clicking <a href=\""
8
9 Uri locationHeader = new Uri(Url.Link("GetUserById", new { id = user.Id }));
10
11 return Created(locationHeader, TheModelFactory.Create(user));
The implementation is straight forward, what we’ve done here is creating a unique code (token) which is
BIT OFthe
valid for TECHNOLOGY
next 6 hours and tied to this user Id only this happen when calling
“GenerateEmailCon rmationTokenAsync” method, then we want to build an activation link to send it in the
email body, this link will contain the user Id and the code created.
Eventually this link will be sent to the registered user to the email he used in registration, and the user needs
to click on it to activate the account, the route “Con rmEmailRoute” which maps to this activation link is not
implemented yet, we’ll implement it the next step.
Lastly we need to send the email including the link we’ve built by calling the method “SendEmailAsync”
where the constructor accepts the user Id, email subject, and email body.
1.4 Add the Con rm Email URL

The activation link which the user will receive will look as the below:
1 http://localhost/api/account/ConfirmEmail?userid=xxxx&code=xxxx
So we need to build a route in our API which receives this request when the user clicks on the activation
link and issue HTTP GET request, to do so we need to implement the below method, so in class
“AccountsController” as the new method as the below:
1 [HttpGet]
2 [Route("ConfirmEmail", Name = "ConfirmEmailRoute")]
3 public async Task<IHttpActionResult> ConfirmEmail(string userId = "", string code = "")
4 {
5 if (string.IsNullOrWhiteSpace(userId) || string.IsNullOrWhiteSpace(code))
6 {
7 ModelState.AddModelError("", "User Id and Code are required");
8 return BadRequest(ModelState);
9 }
10
11 IdentityResult result = await this.AppUserManager.ConfirmEmailAsync(userId, code);
12
13 if (result.Succeeded)
14 {
15 return Ok();
16 }
17 else
18 {
19 return GetErrorResult(result);
20 }
21 }
The implementation is simple, we only validate that the user Id and code is not not empty, then we depend
on the method “Con rmEmailAsync” to do the validation for the user Id and the code, so if the user Id is not
tied to this code then it will fail, if the code is expired then it will fail too, if all is good this method will
update the database eld “EmailCon rmed” in table “AspNetUsers” and set it to “True”, and you are done, you
have implemented email account activation!
Important Note: It is recommenced to validate the password before con rming the email account, in some
cases the user might miss type the email during the registration, so you do not want end sending the
con rmation email for someone else and he receives this email and activate the account on your behalf, so
better way is to ask for the account password before activating it, if you want to do this you need to change
the “Con rmEmail” method to POST and send the Password along with user Id and code in the request body,
you have the idea so you can implement it by yourself
2. Con gure User (Username, Email) and Password policy

2. Con gure User (Username, Email) and Password policy

BIT OF TECHNOLOGY
2.1 Change User Policy
In some cases you want to enforce certain rules on the username and password when users register into
your system, so ASP.NET Identity 2.1 system offers this feature, for example if we want to enforce that our
username only allows alphanumeric characters and the email associated with this user is unique then all we
need to do is to set those properties in class “ApplicationUserManager”, to do so open le
“ApplicationUserManager” and paste the code below inside method “Create”:

2 //Configure validation logic for usernames
3 appUserManager.UserValidator = new UserValidator<ApplicationUser>(appUserManager)
4 {
5 AllowOnlyAlphanumericUserNames = true,
6 RequireUniqueEmail = true
7 };
2.2 Change Password Policy

The same applies for the password policy, for example you can enforce that the password policy must match
(minimum 6 characters, requires special character, requires at least one lower case and at least one upper
case character), so to implement this policy all we need to do is to set those properties in the same class
“ApplicationUserManager” inside method “Create” as the code below:

2 //Configure validation logic for passwords
3 appUserManager.PasswordValidator = new PasswordValidator
4 {
5 RequiredLength = 6,
6 RequireNonLetterOrDigit = true,
7 RequireDigit = false,
8 RequireLowercase = true,
9 RequireUppercase = true,
10 };
2.3 Implement Custom Policy for User Email and Password

In some scenarios you want to apply your own custom policy for validating email, or password. This can be
done easily by creating your own validation classes and hock it to “UserValidator” and “PasswordValidator”
properties in class “ApplicationUserManager”.
For example if we want to enforce using only the following domains (“outlook.com”, “hotmail.com”,
“gmail.com”, “yahoo.com”) when the user self registers then we need to create a class and derive it from
“UserValidator<ApplicationUser>” class, to do so add new folder named “Validators” then add new class
named “MyCustomUserValidator” and paste the code below:
1 public class MyCustomUserValidator : UserValidator<ApplicationUser>

2 {
3
4 List<string> _allowedEmailDomains = new List<string> { "outlook.com", "hotmail.com", "gmail.com", "yahoo.com"
5
6 public MyCustomUserValidator(ApplicationUserManager appUserManager)
7 : base(appUserManager)
8 {
9 }
10
11 public override async Task<IdentityResult> ValidateAsync(ApplicationUser user)
12 {
13 IdentityResult result = await base.ValidateAsync(user);
BIT OF TECHNOLOGY
14
15 var emailDomain = user.Email.Split('@')[1];
16
17 if (!_allowedEmailDomains.Contains(emailDomain.ToLower()))
18 {
19 var errors = result.Errors.ToList();
20
21 errors.Add(String.Format("Email domain '{0}' is not allowed", emailDomain));
22
23 result = new IdentityResult(errors);
24 }
25
26 return result;
27 }
28 }
What we have implemented above that the default validation will take place then this custom validation in
method “ValidateAsync” will be applied, if there is validation errors it will be added to the existing “Errors”
list and returned in the response.
In order to re this custom validation, we need to open class “ApplicationUserManager” again and hock this
custom class to the property “UserValidator” as the code below:

2 //Configure validation logic for usernames
3 appUserManager.UserValidator = new MyCustomUserValidator(appUserManager)
4 {
5 AllowOnlyAlphanumericUserNames = true,
6 RequireUniqueEmail = true
7 };
Note: The tutorial code is not using the custom “MyCustomUserValidator” class, it exists in the source code
for your reference.
Now the same applies for adding custom password policy, all you need to do is to create class named
“MyCustomPasswordValidator” and derive it from class “PasswordValidator”, then you override the method
“ValidateAsync” implementation as below, so add new le named “MyCustomPasswordValidator” in folder
“Validators” and use the code below:
1 public class MyCustomPasswordValidator : PasswordValidator

2 {
3 public override async Task<IdentityResult> ValidateAsync(string password)
4 {
5 IdentityResult result = await base.ValidateAsync(password);
6
7 if (password.Contains("abcdef") || password.Contains("123456"))
8 {
9 var errors = result.Errors.ToList();
10 errors.Add("Password can not contain sequence of chars");
11 result = new IdentityResult(errors);
12 }
13 return result;
14 }
15 }
In this implementation we added some basic rule which checks if the password contains sequence of
characters and reject this type of password by adding this validation result to the Errors list, it is exactly the
same as the custom users policy.
Now to attach this class as the default password validator, all you need to do is to open class
“ApplicationUserManager” and use the code below:
BIT OF TECHNOLOGY
2 // Configure validation logic for passwords
3 appUserManager.PasswordValidator = new MyCustomPasswordValidator
4 {
5 RequiredLength = 6,
6 RequireNonLetterOrDigit = true,
7 RequireDigit = false,
8 RequireLowercase = true,
9 RequireUppercase = true,
10 };
All other validation rules will take place (i.e checking minimum password length, checking for special
characters) then it will apply the implementation in our “MyCustomPasswordValidator”.
3. Enable Changing Password and Deleting Account

Now we need to add other endpoints which allow the user to change the password, and allow a user in
“Admin” role to delete other users account, but those end points should be accessed only if the user is
authenticated, we need to know the identity of the user doing this action and in which role(s) the
user belongs to. Until now all our endpoints are called anonymously, so lets add those endpoints and we’ll
cover the authentication and authorization part next.
3.1 Add Change Password Endpoint

This is easy to implement, all you need to do is to open controller “AccountsController” and paste the code
below:
1 [Route("ChangePassword")]
2 public async Task<IHttpActionResult> ChangePassword(ChangePasswordBindingModel model)
3 {
4 if (!ModelState.IsValid)
5 {
6 return BadRequest(ModelState);
7 }
8
9 IdentityResult result = await this.AppUserManager.ChangePasswordAsync(User.Identity.GetUserId(), model.OldPassword
10
11 if (!result.Succeeded)
12 {
14 }
15
16 return Ok();
17 }
Notice how we are calling the method “ChangePasswordAsync” and passing the authenticated User Id, old
password and new password. If you tried to call this endpoint, the extension method “GetUserId” will not
work because you are calling it as anonymous user and the system doesn’t know your identity, so hold on the
testing until we implement authentication part.
The method “ChangePasswordAsync” will take care of validating your current password, as well validating
your new password policy, and then updating your old password with new one.
Do not forget to add the “ChangePasswordBindingModel” to the class “AccountBindingModels” as the code
below:
1 public class ChangePasswordBindingModel

2 {
3 [Required]
4 [DataType(DataType.Password)]
5 [Display(Name = "Current password")]
6 public string OldPassword { get; set; }
BIT OF TECHNOLOGY
7
8 [Required]
9 [StringLength(100, ErrorMessage = "The {0} must be at least {2} characters long.", MinimumLength = 6)]
11 [Display(Name = "New password")]
12 public string NewPassword { get; set; }
13
14 [Required]
16 [Display(Name = "Confirm new password")]
17 [Compare("NewPassword", ErrorMessage = "The new password and confirmation password do not match.")]
18 public string ConfirmPassword { get; set; }
19
20 }
3.2 Delete User Account

We want to add the feature which allows a user in “Admin” role to delete user account, until now we didn’t
introduce Roles management or authorization, so we’ll add this end point now and later we’ll do slight
modi cation on it, for now any anonymous user can invoke it and delete any user by passing the user Id.
To implement this we need add new method named “DeleteUser” to the “AccountsController” as the code
below:
1 [Route("user/{id:guid}")]
2 public async Task<IHttpActionResult> DeleteUser(string id)
3 {
4
5 //Only SuperAdmin or Admin can delete users (Later when implement roles)
6
7 var appUser = await this.AppUserManager.FindByIdAsync(id);
8
9 if (appUser != null)
10 {
11 IdentityResult result = await this.AppUserManager.DeleteAsync(appUser);
12
13 if (!result.Succeeded)
14 {
16 }
17
18 return Ok();
19
20 }
21
22 return NotFound();
23
24 }
This method will check the existence of the user id and based on this it will delete the user. To test this
method we need to issue HTTP DELETE request to the end point “api/accounts/user/{id}”.
The source code for this tutorial is available on GitHub.

In the next post we’ll see how we’ll implement Json Web Token (JWTs) Authentication and manage access for
all the methods we added until now.
Follow me on Twitter @tjoudeh
References
Featured Image Source
Be Sociable, Share!
BITShareOF16 TECHNOLOGY
Tweet 11  Email
Share 7
Related Posts
Integrate Azure AD B2C with ASP.NET MVC Web App – Part 3
Secure ASP.NET Web API 2 using Azure AD B2C – Part 2
Azure Active Directory B2C Overview and Policies Management – Part 1
ASP.NET Web API Claims Authorization with ASP.NET Identity 2.1 – Part 5
ASP.NET Identity 2.1 with ASP.NET Web API 2.2 (Accounts Management) – Part 1
Filed Under: ASP.NET, ASP.NET Identity, ASP.Net Web API, Web API Tutorial
Tagged With: Token Authentication, Tutorial, Web API 2
Comments
Liam says
February 3, 2015 at 2:45 am
Good article, but you should really change all the references to ‘He/him’ etc to something gender neutral.
Reply
Taiseer Joudeh says

Thanks Liam for your comment, It was a mistake, all is xed now, thanks again
Reply
Akinsanya Olanrewaju says

February 9, 2015 at 12:14 pm
Your Post have been a life saving material for us in my region, with all your past post and this, you have change
our thinking toward DotNet Development. Thanks.
Please we need this series to be completed on time, so as to use it to complete our school project.
(We are student from Africa), We enjoy your series.
Thanks.
Reply
Taiseer Joudeh says

BIT OF TECHNOLOGY
Glad to hear this, happy to know that I’m helping students in other contents to learn some cool technologies,
good luck
Reply
AndreasF says
When is the next post? Waiting for it!

Nice posts. Identity is hard for me to understand because it has so many functions.
It’s the rst time i begin understanding it. Thanks!
Reply
Taiseer Joudeh says

Glad it was useful, most probably tomorrow keep tuned!
Reply
Kurai says
Been here in the past months and I am learning new things in every post you have.. –I’m just another kid who
wants to be something great.. and I tell you.. when that happen.. I will put your name as one my “hero”… Thank you
so much…
Reply
Taiseer Joudeh says

Thanks for your sweet message, I’m really happy to know that my contribution is helping a lot of people out
there, love what you do and have passion for it and I’m sure you will be a shining star =)
Reply
BIT OF TECHNOLOGY
Tony Pollard says

I’ve been following you for some time now, and I appreciate your approach to start with an empty project and add
what you need with adequate explanation as you go. I nd myself eager and watching for your next post as you
are regular reading for me. Great job Taiseer!
Reply
Taiseer Joudeh says

Thank you Tony for your comment, glad to know that posts are useful. Part 3 is ready and should be
published this Monday.
Reply
Miguel Delgado says

Hello Taisser, thanks for all your posts and very happy to see you MVP.
Alas, I hit a bit of a bump implementing your code. I create the user and while creating the link to send the
con rmation email, it raises an exception:
on the instruction
var callbackUrl = new Uri(Url.Link(“Con rmEmailRoute”, new { userId = user.Id, code = code }));
the Url.Link raises the exception

{“Value cannot be null.\r\nParameter name: request”}
I checked the function signature and it matches…
Do you have any idea on how to x this… I can always hardcode the uri, but I’d rather suffer the pains of hell…
Thanks in advance
Miguel Delgado
Reply
Taiseer Joudeh says

BIT OF TECHNOLOGY
Hi Miguel,
Thanks for your nice words,
Double check that you have created and named the route “Con rmEmailRoute” correctly, as well you are
passing the exact parameters. This is only what I can think of now.
Download the repo and compare the code, I’m sure there is simple glitch there.
Hope this helps!
Reply
Diego says
Hi Taiseer,
What´s the point in creating an email con rmation api endpoint?
The user will see nothing else than a white screen in the browser.
The logical thing would be creating a web page to show a con rmation message, but I guess in this post you just
wanted to focus on webapi.
Apart from that, please tell me what you think about this
In my case, I´m implementing all this from a mobile application and I´m trying to make things easy to the user.
Imagine the situation: a user registers in the app and receives a message asking him/her to check the email. The
email will redirect the user to a web page (con rmation page), and then, that user has to go back to the app. 4 step
process (including registration form) is a bit overhead IMO.
So I was thinking about sending a short code (like the kind of sms con rmation codes) to the email so the user can
just write it in a textbox (inside the mobile app) instead of using urls. I´m not sure if there is any way to modify the
con rmation token asp.net generates to make for example, a 4 character number code. In that case you could see
the code in the push noti cation of your email box and even no need to open it
Any thoughts?
Reply
Taiseer Joudeh says

Hi Diego,
As you suggested you need to build a GUI on your system where in contains a link for the
“Con rmEmailRoute” end point, once the user invokes this endpoint (click on that link) and you receive 200
OK status from the API, youir GUI needs to display con rmation message and maybe redirect him to the
application as this SO question. Never tried it before
Regarding send SMS, as you suggested here you are going to send the SMS to the email so the user might
need to open the email to read the SMS code there and then close the email and go back to application to
enter it, so the same number of steps.
As well I’m not sure if you can generate friendly token (4 digits) and attach it to the user Id so the validation
for this token happens seamlessly as it happens in method “AppUserManager.Con rmEmailAsync”, I need to
BIT OF check
TECHNOLOGY
this.
Reply
Diego says
Hi Taiseer,
About the endly token:

If you do something like this in your asp.net userManager…
> IDataProtector dataProtector = dataProtectionProvider.Create(“ASP.NET Identity”);

> this.UserTokenProvider = new DataProtectorTokenProvider(dataProtector);
you get a huge token (kind of oAuth token), but I realized you can get a 6 digit “token” if you do this
instead:
> this.UserTokenProvider = new EmailTokenProvider();
Not sure about the impact in the application or any related security issues… but I can say the
con rmation works ne as well in this way.
About the con rmation message:

I´m not using legacy MVC in my project. Just webapi so I´m writing an html response like this:
[ActionName(“emailcon rmation”)]
public async Task Con rmEmailAccount(string userId, string token)
{
IdentityResult result = await aspNetUserManager.Con rmEmailAsync(userId, token);
if (result.Succeeded)
{
string body = “bla bla bla””; // this will be a proper web page
var response = new HttpResponseMessage(HttpStatusCode.OK);

response.Content = new StringContent(body, Encoding.UTF8, “text/html”);
return response;
}
else
{
GetErrorResult(result.Errors);
return Request.CreateErrorResponse(HttpStatusCode.BadRequest, ModelState);
}
}
About steps overhead and usability in mobile applications:
I´ve been reading about this in stack-over ow and many people agree that email con rmations on
mobile applications are a no-go for many users. Of course that depends on your project needs but
reasonable in many cases. So a nice way to go would be:
1. You send the welcome-con rmation email
BIT OF TECHNOLOGY
2. The user can start using the app without con rming
3. After a time period you remind the user to con rm the account (by email)
4. After another time period, if the account has not been con rmed, you just delete it (this can be done
in a background scheduled job)
That way, the users just trying to test your app will be able to do it quickly. And if they are interested
after all, clicking a link shouldn´t be a problem.
Thanks for your answer!
ps: is there anyway to tag text as code in the comments?
Reply
Diego says
I forgot to mention about redirecting user to the app from the email box.
That´s a nice solution if the user opens the email in the mobile device where the app is.
This can be done (I´m using Xamarin) like this: http://developer.xamarin.com/recipes/cross-
platform/app-links/app-links-ios/ and this: http://developer.xamarin.com/recipes/cross-
platform/app-links/app-links-android/
Reply

March 13, 2015 at 1:56 pm
I ran the source code from the updated one from github, after update the package manager, I want to the create a
new account from the create end-point
http://prntscr.com/6g70sh
This is the error i get http://prntscr.com/6g70z4
I have done all i needed to do, i dont know am doing wrong
1. http://prntscr.com/6g7180
2. http://prntscr.com/6g71s5 : Here, this is the credentials from my signup in sendgrid
Can someone help me out.
Reply
Taiseer Joudeh says

BIT OF TECHNOLOGY
March 16, 2015 at 5:15 pm
This issue with the SendGrid service trying to send con rmation email, make sure you are using the same
NuGet package I have used in the project by checking packages.con g le and double check that SendGrid
username and password are set correctly in web.con g as you obtained them from SendGrid after creating a
SendGrid account.
Reply
Regan says
March 14, 2015 at 7:47 pm
I dont get the interface >> IIdentityMessageService
Reply
Taiseer Joudeh says

March 16, 2015 at 5:20 pm
What is not clear about it? It interface used to separate the implementation of your SMS service or Email
service from Web API logic, it has method named “SendAsync” in order to implement your sending logic in it
Reply
Simon says
March 25, 2015 at 11:02 pm
Hi Taiseer,
First off I would like to thank you for your post and all the information concerning JWT. I am currently doing an
internship in a company where I was asked to do a small authentication and authorization using Identity + JWT. I
ran into a small bug and I don’t know if its me that did not implement your explications properly but for some
reason I cannot seem to be able to do any calls to Identity, for example User.Identity.GetUserId(); is always null. It
feels like the data/information from my token does not get passed. Would you be able to give me any pointers or
would you have any idea? I have been looking at your AngularJSAuthentication solution and all your other post
and I can’t seem to be able to nd out what it is.
Thank you,
Simon.
Reply
BIT OF TECHNOLOGY
Taiseer Joudeh says
March 27, 2015 at 3:51 pm
Hi Simon, are you calling the method User.Identity.GetUserId(); inside a protected controller? A controller or
action method attributed with [Authorize]? If yes then the Identity should be set, can you try checking the
property User.Identity.Name too? Does it return the authenticated UserId?
Reply
felipefurlan says
August 12, 2015 at 6:59 pm
Hello Taisser, how are you doing? I’m having this issue too. The User.Identity.Name is OK, but the ID is
always null. When I inspect the User.Identity on Imediate Window I receive the following:
{System.Security.Claims.ClaimsIdentity}
[System.Security.Claims.ClaimsIdentity]: {System.Security.Claims.ClaimsIdentity}
AuthenticationType: “Bearer”
IsAuthenticated: true
Name: “bla@bla.com.br”
I’m not sure if I’m missing something here.
Reply
David says
July 21, 2016 at 8:57 pm
Hello Taiseer,
I am also having the problem with User.Identity except User.Identity.Name = “”. Also for me
IsAuthenticated = false. I can decode the JWT token and my username is contained therein. Not sure
why Identity is not picking it up.
Reply
Torsten Tiedt says

November 10, 2016 at 1:52 pm
Hi,
I had the same issue. My user was authorized, but the returned UserId was null. I guess, the name claim has
the wrong scheme. It had “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name” instead of
“nameidentity” at the end. Thus the method returnes null.

BIT OF TECHNOLOGY
I solved it by using the name to get the id:
userManager.FindByNameAsync(User.Identity.Name)
Regards,
Torsten
Reply
Torsten Tiedt says

I think I just found the origin of my problem why GetUserId() returns null. In the method
“GrantResourceOwnerCredentials” of my AuthorizationServerProvider the claims are added to the user
like this:
var identity = new ClaimsIdentity(context.Options.AuthenticationType);

identity.AddClaim(new Claim(ClaimTypes.Name, context.UserName));
identity.AddClaim(new Claim(“sub”, context.UserName));
identity.AddClaim(new Claim(“role”, “user”));
I guess if you add the claimtype “NameIdenti er” the GetUserId() method should return the user.
Note: in my answer above I wrote “namedidentity”. I guess this is wrong and should be “NameIdenti er”.
Regards,
Torsten
Reply
Taiseer Joudeh says

November 12, 2016 at 12:14 am
You are correct, the claim of type “NameIdenti er” should be used to return the UserId when
calling GetUserId()
Reply

April 1, 2015 at 2:16 pm
Hi,
BIT OF TECHNOLOGY
List _allowedEmailDomains = new List { “outlook.com”, “hotmail.com”, “gmail.com”, “yahoo.com” };
How do i create a CustomUserValidator for user and admin email separately
My application will be split into two admin registration and user registration
I want the users to register with any email address (e.g gmail.com, yahoo.com) while the admin will only register
with the of cial company email (e.g admin@company.com)
How can i seperate the logic for this or conditionally con gure this, since the validation logic for the user admin
are called from one single point in the startup.cs
Is it advisable to create the API for admin seperate from the user, or i can use thesame API for both logic.
Thanks
Reply
Ernst Bolt says

April 8, 2015 at 10:06 am
Hi Taiseer,
Microsoft.Owin.Testing doesn’t provide a DataProtectionProvider in the options parameter of

ApplicationUserManager.Create(). I’ve changed the method to:
var dataProtectionProvider = options.DataProtectionProvider;

if (dataProtectionProvider != null)
{
appUserManager.UserTokenProvider = new DataProtectorTokenProvider(dataProtectionProvider.Create(“ASP.NET
Identity”))
{
//Code for email con rmation and reset password life time
TokenLifespan = TimeSpan.FromHours(6)
};
}
else
{
var provider = new Microsoft.Owin.Security.DataProtection.DpapiDataProtectionProvider(“ASP.NET Identity”);
UserManager userManager = new UserManager(new UserStore());
appUserManager.UserTokenProvider = new DataProtectorTokenProvider(provider.Create(“ASP.NET Identity”)) {
//Code for email con rmation and reset password life time
TokenLifespan = TimeSpan.FromHours(6)
};
}
Now it’s working.
BIT OF TECHNOLOGY
Reply
GRAPHC_coder says
May 15, 2015 at 9:09 am
Hi Taiseer,
Great post! It really helps me on my project.
Just a quick heads up for those who might experience same as mine.
I was setting up our own SMTP server and testing email con rmation through Postman, “Invalid Token” happened
for URL con rmation.
Solution:
http://tech.trailmax.info/2015/05/asp-net-identity-invalid-token-for-password-reset-or-email-con rmation/
It works for me:

CreateUser() add
code = System.Web.HttpUtility.UrlEncode(code);
Con rmEmail() add
code = System.Web.HttpUtility.UrlDecode(code);
Reply
Taiseer Joudeh says

May 15, 2015 at 11:48 pm
Thanks for sharing this, what you are doing is better practice because the token might contain unsafe URL
chars which needs to be Url encoded before.
Reply
Doug says
June 27, 2015 at 3:11 am
The callback URL is for a GET to the API, but how do you handle the case where the front end is solely Angular?
How can I get the Con rmEmail API function to, upon execution from the email link click event, redirect back to
my front end Angular site after updating the EmailCon rmed ag?
Reply
engineerumairshahen says
@Doug were you able to nd the solution if yes then please share with me
BIT OF TECHNOLOGY
Reply
Actias says
June 6, 2016 at 9:30 am
You can edit the call back URL at this section of code in the AccountsController
var code = await UserManager.GenerateEmailCon rmationTokenAsync(user.Id);

var callbackUrl = new Uri(Url.Link(“Con rmEmailRoute”, new { userId = user.Id, code }));
await UserManager.SendEmailAsync(user.Id, “Con rm your account”, “Please con rm your account by

clicking here“);
Reply
dush_a says
July 9, 2015 at 3:21 am
Hi Taiseer,
I tried to create a free SendGrid account. They didn’t provide me an account since I do not have a website. Can
you please show me how to use gmail or hotmail account instead SendGrid ? (even asp.net tutorials use sendGrid,
it looks like they may have stoped the service for leaners, if you can provide a free email alternative it would be
bene cial to new learners)
This is what SendGrid support said:
“Thank you for providing further information. Although to provision your account we’ll need to know what type of
emails you’ll be sending using our service, the website provided during registration was not suf cient to help us
determine this. Without a valid, working website upon which we can determine this, your account will not be
provisioned. Please get back in touch with us when your website is nearing a state of completion.
Best,
IULIANA O.
Technical Support Engineer
SendGrid”
Reply
Mcshaz says
July 10, 2015 at 1:33 am
Thanks for posting this.
just an expansion on the comment:

BIT “Notice
OF TECHNOLOGY
how we are setting the expiration time for the code (token) send by the email to 6 hours”
so far, my testing on the Indentity 2.1 framework would indicate that the token contains datetime information on
when it was sent, rather than any data on when it is to expire. The Con rmEmailAsync method then seems to
apply the TokenLifespan as part of validating the token. The relevance of this is that changing TokenLifespan (in
testing or production) will be effective retrospectively on tokens previously sent.
Reply
Nathan says
August 4, 2015 at 9:45 pm
Did you nd that GenerateEmailCon rmationTokenAsync is creating a 500 character token? i.e.
http://localhost/api/account/Con rmEmail?userid=xxxx&code=
Sending such a long URL is running up against spam lters in our case.
Reply
Taiseer Joudeh says

August 8, 2015 at 7:11 am
Hi Nathan,
To be honest I didn’t notice that huge number of generated characters, were you able to nd solution for this
issue?
Reply
Ali Morlo says

August 13, 2015 at 4:21 pm
Slm from Africa,
thx for the stuff
i’m unable to pull the namespace for AspNetIdentity.WebApi.Services.EmailService()
Reply
Ali Morlo says

August 13, 2015 at 4:35 pm
I Got it Sorry, Just Need Some rest
Reply
BIT OF TECHNOLOGY
Taiseer Joudeh says

August 15, 2015 at 1:09 am
No problem Ali
Reply
Michael Heribert says

September 10, 2015 at 5:35 pm
Thank you for the good article! Although i followed your steps exactly, there seems to be an issue, at least for me:
When i send a create-user request, the programme creates a new user, but does not call the EmailService class so
no email is sent. Is this a known issue? Thanks in advance
Reply
Taiseer Joudeh says

Hi Michael, glad you liked it, I guess you are missing registering the service in AppUserManager as this LOC.
If it is already there, check that your SendGrid ApiId and Secret are correct.
Hope this will help.
Reply
Michael Heribert says

Hi, thank you for your quick response! I checked the registering of the EmailService in
AppUserManager, that wasn’t the problem. The credentials for the SendGridAPI are ne aswell. But by
inserting Debug.writeline commands i found out that the ApplicationUserManager class is not called. I
tried your downloaded your version from github and there it worked just perfectly and the output-
commands were shown in the console. Do you know anything else that could be the problem?
Reply
BIT OF TECHNOLOGY
mazin says
September 18, 2015 at 8:51 am
Hi Taiseer, Great article, all your articles have helped me a lot, thanks so much.
I’m still a bit confused about the emailservice, I followed your AngularJsAuthentication tutorials and so i dont have
a ApplicationUserManager class or a “Create” method to plug in the the EmailService with Identity system, where
should I place the body of code?
Reply
Taiseer Joudeh says

Hi Mazin,
If you need to use the email service to send emails, then you have to user the ASP.NET Identity system and
create an instance of the UserManager, and assign the “EmailService” property to your email sending logic,
hope this somehow clari es your concern.
Reply
johnatangarcia says
October 4, 2015 at 9:37 am
Yeah, I totally should buy you a beer. Thanks for the very detailed information!
Reply
Taiseer Joudeh says

October 12, 2015 at 10:58 am
You are welcome, happy to help
Reply
Steven Duque says

Hello Taiseer,
I have a quick question. May be simple however I’ve googled away and haven’t exactly found the answer I am
looking for. SO I am building a web app that utilizes AngularJS for the Frontend. Speci cally using the Ui,router
BIT rather
OF TECHNOLOGY
than ngRoute. So I con gured a state(route) that has the parameters of UserId and Code in order to use the
parameters in my Con rmEmailController.js . In the Con rmEmailController.js I call to the Account controller
which will then con rm the email. Upon failure or success the html will display the response message. My Issue is
this… In the email that gets sent to the User, the link needs to be something like this Here
However, in the AccountController.cs under method Register() , I cannot get the callbackUrl to be correct. I mean
it does output the link as I would expect, but when clicked I get this error “The request ltering module is
con gured to deny a request that contains a double escape sequence.” . So I ask you how can I build a link that will
pass the UserId and Code in an email that doesn’t compromise the built in security that’s blocking double spacing,
but handle the View and Controller in Angular. OR Am I putting much more work into it than I need to and there is
a simpler way to accomplish this? Thank you for taking the time to read and respond to my question! Sorry for the
long message but I wanted to be thorough.
Reply
Taiseer Joudeh says

October 12, 2015 at 10:04 am
Hi Steven,
I’m not sure if you need to URL encode the code generated then decode it once you receive it, this is the
only thing that I’m suspecting now. As well you might try sending the activation code as a query string not
part of the URI.
Let me know if this solve your issue.
Reply
Steven Duque says

Hello! And thank you for your reply! I ended up sending it as query strings. Both userId and code. Just
have to have the user login and it’ll call to the api/Account . My only issue is that the ‘+’ in the userId’s
gets replaced by spaces. Its Angular. It used to be encoded as %2B which is what I need, however many
people led issues with it on github because they needed it to be treated as %20 ( a space ) for search
query strings. Since then it has been updated and now creates a problem since I need the literal plus
sign. I am going to see if there is a way to just replace its encoding back to %2B. If you’ve got any insight
or a work around that would be much appreciated! . Thank you again!
Reply
Steven Duque says

SO It was an easy x. Just do a string.replace on the spaces and put +’s there. However my nal
error is “Invalid Token” . The result.Succeeded from the Con rmEmailAsync comes back false. I
placed breakpoints in the Register method and the Con rmEmail method to verify the userId and
code generated at both spots. They are identical. I’m not exactly sure what is going on at this
point.
Reply
BIT OF TECHNOLOGY
Steven Duque says

October 15, 2015 at 11:55 am
FIXED! Sorry for the various replies but it’s been an interesting journey haha. SO seems like
even if I do the string.replace in the frontend, when I do the $http call to the backend angular
re-encodes and decodes it. Easy solution. Just do the code = code.replace(” “,”+”); right before
calling Con rmEmailAsync();
THANK YOU for all your help!
Taiseer Joudeh says

October 21, 2015 at 11:29 am
Hi Steven,
It is encoding issue as you suggested, I do not know why the ASP.NET team didn’t generate
the con rmation code using safe URL characters, they know that those codes will be
transmitted in URL.
Khalaf says
Hi Taiseer,
I keep getting this error when I run it locally , could you please advise?
FYI I added the below keys which are valid:
exceptionMessage: “Bad Request Check `Errors` for a list of errors returned by the API.”
exceptionType: “Exceptions.InvalidApiRequestException”
stackTrace: ” at SendGrid.ErrorChecker.CheckForErrors(HttpResponseMessage response, Stream stream) at
SendGrid.ErrorChecker.d__0.MoveNext() — End of stack trace from previous location where exception was
thrown — at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNoti cation(Task task) at
SendGrid.Web.d__0.MoveNext() — End of stack trace from previous location where exception was thrown — at
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNoti cation(Task task) at
System.Runtime.CompilerServices.TaskAwaiter.GetResult() at
AspNetIdentity.Services.EmailService.d__1.MoveNext() in c:\users\armaghanbabak\documents\visual studio
Reply
BIT OF TECHNOLOGY
Taiseer Joudeh says

October 26, 2015 at 10:45 am
Hi Khalaf,
Make sure you are using the latest version of SendGrid assembly, I’m not sure why it is generating this error.
Please share it on Stack Over ow.
Reply
Biswa says
October 27, 2015 at 3:41 pm
Solved a lot of issues. This article is the masterpiece of all my research on ASP .NET Identity and OWIN Token.
Reply
Taiseer Joudeh says

Glad you nd it useful Biswa, thanks for your comment
Reply
hassan says
Hi Taiseer,
I have followed your part 1 tutorial, so far it has worked awesome, but in this part 2, you said place the code in
ApplicationUserManager class, which you have not speci ed when it was created. I am looking your project in the
GitHub and seeing you have Infrastructure folder and there you have it already, so I am trying to copy the code
from there and trying to understand each bit of code. Please advice if I missed something.
Thanks,
Hassan
Reply
BIT OF TECHNOLOGY
Taiseer Joudeh says
Hi Hassan,
I’m not sure if you missed something or I forgot a simple step but follow up with the all the posts and
everything is described clearly, hope the series will be useful for you.
Reply
hassan says
Hi Taiseer,
Sorry It was my mistake, I went to this Part 2 of ‘
ASP.NET Identity 2.1 Accounts Con rmation, and Password Policy Con guration – Part 2’, thought that
this is a Part 2 of ‘Token Based Authentication using ASP.NET Web API 2, Owin, and Identity’. But I have
nally found the Part 2 here http://bitoftech.net/2014/06/09/angularjs-token-authentication-using-
asp-net-web-api-2-owin-asp-net-identity/
Got confused with so many parts of authentication. This is fabulous article you have written, I am
following and understanding the authentication much better now. Thanks a lot man.
Reply
Taiseer Joudeh says

You are welcome, hope you grasped the concepts by now
Reply
Neil says
January 6, 2016 at 9:59 pm
Same thing happened to me. Exact same thing.
Reply
BIT OF TECHNOLOGY
Saad Ullah Khan says
For anyone who might run in to this kind of issue that if you are using different attributes than just [Route] or
[HttpGet]… On con rmEmail action you must put the attribute [HttpGet] as well.. otherwise your link to con rm
email won’t work ..
Not sure why, may be Taiseer could add something awesome here on this just like his articles
Hey Taiseer, Very useful articles, specially in a world where there aren’t much resources on the subject of identity
… Hats off my dear !!!
Reply
Taiseer Joudeh says

Hi Saad, thanks for your message, it is working at my end. But I need to check this and update the post if
something is missing. Thanks again.
Reply
Aditya M S K says
December 21, 2015 at 3:54 pm
Hi Taiseer,
Thanks for the way you have narrated the story. I stand at a little confused point and need your help in getting out
of this. it is a bit lengthy one, request you to go through it patiently. Thanks for your time.
I work on an application where I have a separate MVC layer and Web API Layer, both have the same authentication
mechanism, I have chosen the individual accounts authentication option while adding the projects. The web api
service layer will be directly accessed by some other mobile clients also.
But when the user logs in through MVC he should be able to access Web Api seamlessly, but I don’t want to really
pass the username and password fro MVC to the Web Api layer, I am told it is a bad practice. but i need to
authenticate and authorize my user, so the only option i have thought of is to have a default account at Web API
level to issue tokens, and this will be called from MVC post the authentication and a token will be returned which
is written to a cookie in the client. Now the Ajax calls from the UI can use this bearer token and get the job done.
The only glitch I have here is that, because I am using a default account I need user details again for authorization
at service level, though I am doing authorization at my UI level. The user can spoof the system. I was lost here and
came up with a solution like, when the user logs in to MVC will send across user details also along with the call to
get the WebAPI token and issue another token to the user so that the user uses both of the tokens to make a call
to web api from MVC.
I am not sure if this works or if it is even the best way. I just wanted to check with you, how I should go from here.
BIT Any
OFhelp
TECHNOLOGY
on this will be really great.
Regards,
Aditya
Reply
Taiseer Joudeh says

December 24, 2015 at 2:57 am
Your proposed solution is good, you need to obtain an access token while you are authenticating the user for
the MVC application, so you only send the username/password only once, once you obtain the access token
you can store in a cookie for further use.
Reply
Rashmi says
December 28, 2015 at 8:18 pm
Hi Taiseer,
First of all, this article is AWESOME. I am able to get a clear view of OAuth Identity Services because of your
articles. I created the con rm email functionality for new User. The con rm email link validity is set to 24 hours as
shown in this article, but somehow the link expires after 50 mins. I am unable to gure out where the issue is.
Could you please suggest something.
Regards,
Rashmi
Reply
Rashmi says
January 7, 2016 at 12:03 am
I found the solution to this issue. I am posting it if somebody faced the same issue. In my case the services
and web API were on different servers. Different machine keys caused this issue. So I generated the machine
key for my Web application and posted the same machine key in web.con g le of Identity service. After that
it worked. For more information on generating machine key, following link is helpful.
http://gunaatita.com/Blog/How-to-Generate-Machine-Key-using-IIS/1058
Reply
BIT OF TECHNOLOGY
onefootswill says
The confusion around ApplicationUserManager is because it was not created in Part 1. According to the Index at
the top of this post, this is Part 2. And up until now, there has been no mention of an ApplicationUserManager.
But, seeing that it is in the GIT repository, I’m not too worried. But it does kind of negatively impact the didactic
ow of the articles.
Reply
onefootswill says
Whoops. Looks like I’m getting this series mixed up with your 2014 series of articles. Sorry. Disregard my last
comment. And thank you for the great articles!
Reply
Taiseer Joudeh says

You are welcome, no problem and let me know if you need further help.
Reply
RR says
Easily, the best posts on asp.net Identity on the ‘Net. Puts Microsoft documentation to shame.
Congratulations !
Reply
Taiseer Joudeh says

Thank you, happy that posts are helpful.
Reply
BIT OF TECHNOLOGY
alexstrakh says
Thank you for the great post. In my case I need to validate both email and phone number for one given account.
I can generate email token with GenerateEmailCon rmationTokenAsync and then Con rmEmailAsync.
I didn’t nd related methods for SMS.
Could you please clarify?
Reply
Dennis Guthrie says

January 24, 2016 at 10:20 pm
Taiseer….awesome series. Everything working perfectly. Your tutorials are extremely clear and accurate. Very
rare. I do have one issue….I am using SendGrid for my Email Con rmation. When I change EmailCon rmation to
POST as you recommend for doing Password comparison, the link that arrives in the con rmation email is no
longer functional since a link can’t generate HTTP POST without intervening JScript. I just get a ‘The requested
resource does not support http method ‘GET” error. Can you give a little detail on how to implement the
password check in the con rmation (including maybe some suggestions for encrypting it)?
Reply
Taiseer Joudeh says

Hi Dennis,
I think you facing an issue with sending the validation token generated by asp.net identity, it contains unsafe
url chars, so you should encode it before sending it, then decode it once you receive it.
The below helper functions might help:
public static string Base64ForUrlEncode(string str)

{
byte[] encbuff = Encoding.UTF8.GetBytes(str);
return TextEncodings.Base64Url.Encode(encbuff);
}
public static string Base64ForUrlDecode(string str)

{
byte[] decbuff = TextEncodings.Base64Url.Decode(str);
return Encoding.UTF8.GetString(decbuff);
}
var callbackUrl = string.Format("{0}?code={1}&email={2}", model.RedirectUri,

BIT OF base64UrlEnCode,
TECHNOLOGYmodel.Email);
string decodedCode = Base64ForUrlDecode(model.Code);
Reply
Dennis Guthrie says

January 31, 2016 at 9:34 pm
Thanks for the reply. Unfortunately that has the same result.
The resulting link from CreateUser looked like this:
http://localhost/rcatshop/api/accounts/Con rmEmail?userId=1007&code=XXX
I can’t see anything bad about the format of the link.
Here is my CreateUser:
[Route(“create”)]
public async Task CreateUser(CreateUserBindingModel createUserModel)
{
if (!ModelState.IsValid)
{
return BadRequest(ModelState);
}
var user = new ApplicationUser()

{
UserName = createUserModel.Username,
Email = createUserModel.Email,
FirstName = createUserModel.FirstName,
LastName = createUserModel.LastName,
Level = 3,
JoinDate = DateTime.Now.Date,
};
IdentityResult addUserResult = await this.AppUserManager.CreateAsync(user,

createUserModel.Password);
if (!addUserResult.Succeeded)
{
return GetErrorResult(addUserResult);
}
// Generate con rmation token

string code = await this.AppUserManager.GenerateEmailCon rmationTokenAsync(user.Id);
// Create link for “click on this to con rm”
var callbackUrl = new Uri(Url.Link(“Con rmEmailRoute”, new { userId = user.Id, code =

UrlEncodeDecode.Base64ForUrlEncode(code), password =
UrlEncodeDecode.Base64ForUrlEncode(createUserModel.Password) }));
// Send the con rmation email
BIT OF TECHNOLOGY
await this.AppUserManager.SendEmailAsync(user.Id, “Con rm your account”, “Please con rm your
account by clicking here“);
Uri locationHeader = new Uri(Url.Link(“GetUserById”, new { id = user.Id }));
return Created(locationHeader, TheModelFactory.Create(user));

}
Here is the text of the email I receive:
Please con rm your account by clicking here
Here is my Con rm endpoint:
[HttpPost]
[Route(“Con rmEmail”, Name = “Con rmEmailRoute”)]
public async Task Con rmEmail(int userId, string code = “”, string password = “”)
{
string cd = UrlEncodeDecode.Base64ForUrlDecode(code);
string pw = UrlEncodeDecode.Base64ForUrlDecode(password);
if (userId == null || string.IsNullOrWhiteSpace(cd) || string.IsNullOrWhiteSpace(pw))
{
ModelState.AddModelError(“”, “User Id, Code, and Password are required”);
return BadRequest(ModelState);
}
var temp = await this.AppUserManager.FindByIdAsync(userId);

bool PasswordOk = false;
if (temp != null)
{
PasswordOk = await this.AppUserManager.CheckPasswordAsync(temp, pw);
}
if (PasswordOk)
{
IdentityResult result = await this.AppUserManager.Con rmEmailAsync(userId, cd);
if (result.Succeeded)
{
return Ok();
}
else
{
return GetErrorResult(result);
}
}
else
{
return StatusCode(System.Net.HttpStatusCode.Unauthorized);
}
}
And here is the result when I click the link from my email:
The requested resource does not support http method ‘GET’.
As long as I decorate the Con rm as:
BIT OF TECHNOLOGY
[HttpGet]
[Route(“Con rmEmail”, Name = “Con rmEmailRoute”)]
public async Task Con rmEmail(int userId, string code = “”, string password = “”)
All works. But as you stated in your tutorial, shouldn’t pass a password in a get param.
I am not clear how to get around this.
Is there something else I have missed?
Thanks!
Reply
syedumair (@Engineerumair3) says

@tauseer joudeh It is great article but I have one problem after email con rmation I want to redirect user to login
page how that could be done please suggest?
Reply
engineerumairshah says
@taiseer joudeh its very nice article could you please help me if I would like to change callbackurl from web api
route to angular how could be done ?
Reply
Taiseer Joudeh says

Hi,
This is very deep implementation detail for your case, I really can not look at it right now but you could add
any link you want in your response and the user will receive it in the email and click on it and get redirected
to this URL.
Reply
BIT OF TECHNOLOGY
stt106 says
March 20, 2016 at 7:56 pm
Hi Taiseer,
Like others I have found your series on web api identity and token authorization very useful.
I have a question about using email/text to validate the user identity. I am writing an API for a mobile app; on
registration user will need either to enter email or mobile number so that their identity can be veri ed. Since
sending email/text message to user is not free, I want to protect from being attached by someone who tries to
create many fake registrations. For example, if someone somehow knows my user registration url and since user
post request has to allow anonymous (to allow real user to register through the mobile app); he/she can post
many fake registrations each of which will trigger sending an email or a text message; which can be costly.
Do you have any advice on preventing such an attack? My idea is to add a custom header in my new user post
request so that I can validate this header value in each post request and if the header value is not matching a
secret then I will reject the post request. And since this is for a mobile app, it’s safe to include the secret in the
header on the client side for real user registration. Does this make sense?
Thanks.
Reply
Taiseer Joudeh says

March 20, 2016 at 11:35 pm
Maybe you need to implement some sort of throttling (rate limiting) for this endpoint, check out this repo, I
think it will be better than building thing from scratch.
Reply
Markus Kollers says

March 25, 2016 at 1:30 am
Hi Taiseer,
i really love your articles! They help me soooooo much, but i still got a problem
The Destination of IdentityMessage in my EmailService is always null. So i tried to get the email of the newly
created user, and “UserManager.GetEmail” always returns null too, but the user is created as i can see in the
database and his id is correct too. Do you have any idea what this can be, or do you had any issue like this before?
Reply
Taiseer Joudeh says

March 27, 2016 at 2:30 pm

BIT OF TECHNOLOGY
That is strange, did you try to download the repo and test it out and compare it to your code?
Really hard to troubleshoot the issue without seeing your code, so my recommendation is to download the
repo and compare.
Reply
Clifford Kwadwo Owusu says

June 28, 2016 at 2:41 pm
Hello,
I am very much enjoying this tutorial. It is helping me with the understanding i have needed, but then i run into
this error which i still can’t solve. I am still on the rst post “account management” and i get this error:
{“message”:”The request is invalid.”,”modelState”:{“”:[“Name cannot be null or empty.”]}}
I do not know where to nd the error to x it.
Please help me
Reply
Ali Reza shokoohmnad says

July 12, 2016 at 7:46 pm
hi … Thanks for the wonderful education.

I am EmailService class to using Gmail instead of Sendgrid have changed.But I could not get the answer. Please
help me to x the error.
using Microsoft.AspNet.Identity;
using System.Net;
using System.Net.Mail;
using System.Threading.Tasks;
namespace Myapp.Services
{
public class EmailService : IIdentityMessageService
{
public async Task SendAsync(IdentityMessage message)
{
await con gSendasync(message);
}
// Use NuGet to install SendGrid (Basic C# client lib)
private async Task con gSendasync(IdentityMessage message)
{
using (MailMessage email = new MailMessage())
{
string emailFrom = “xxxx@gmail.com”;
string password = “xxxxx”;
// Create the message:

BIT email.From
OF TECHNOLOGY
= new MailAddress(emailFrom,”email sender”);
email.To.Add(new MailAddress(message.Destination));
email.BodyEncoding = System.Text.Encoding.UTF8;
email.SubjectEncoding = System.Text.Encoding.UTF8;
email.Subject = message.Subject;
email.Body = message.Body;
email.IsBodyHtml = true;
// Can set to false, if you are sending pure text.
//email.Attachments.Add(new Attachment(“C:\\SomeFile.txt”));
//email.Attachments.Add(new Attachment(“C:\\SomeZip.zip”));
using (SmtpClient smtp = new SmtpClient())

{
// Con gure the client:
// Credentials:
smtp.Host = “smtp.gmail.com”;
//TLS port: 25, 587
//SSL port:465
smtp.Port = 25;
// Create the credentials:
smtp.Credentials = new NetworkCredential(emailFrom, password);
smtp.DeliveryMethod = SmtpDeliveryMethod.Network;
smtp.UseDefaultCredentials = false;
smtp.EnableSsl = true;
//smtp.Send(email);
// Send:
await smtp.SendMailAsync(email);
}
}
}
}
}
Reply
Ninh says
July 14, 2016 at 6:04 am
Hi,
At that time I do this tutorial, I used Web API v2 and Net Framework 4.5. I need install SendGrid-Net40 instead of
SendGrid.
SendGrid does not have SendGridMessage Class.
Reply
clark says
July 18, 2016 at 12:56 pm
Hi Ninh,
Using Install-Package Sendgrid -Version 5.0.0
BIT OF TECHNOLOGY
Reply
hartmut says
hey clark, you saved my day, thanks
Reply
Vladimir says
July 22, 2016 at 11:21 pm
Hello Taiser, great tutorials
i get an error on
applicationUserManager.cs
appUserManager.EmailService = new AspNetIdentity.WebApi.Services.EmailService();
Saying: The type or namespace name ‘AspNetIdentity’ could not be found (are you missing a using directive or an
assembly reference?)
Reply
Taiseer Joudeh says

July 24, 2016 at 12:59 pm
Hello Vlad,
Make sure you are updating the packages using NuGet package manager, if this didn’t work please search the
issue on GitHub as I’m sure you will nd a detailed solution.
Reply
Christophe Hvd says

Hi Vladimir,
Hope you already found the solution. If not, the problem is just that here Taiseer speci es the full namespace
of the EmailService you created before. Just remove the “AspNetIdentity.WebApi.Services.” and it should
BIT OF work
TECHNOLOGY
perfectly
Reply
Fábio Jansen says

October 21, 2016 at 11:32 am
Hello friend.
Thanks for the excellent article. Its saving my life.
Im having problem with the username validation and UniqueEmail validation.
I have added as you mentioned the :
appUserManager.UserValidator = new MyCustomUserValidator(appUserManager)

{
AllowOnlyAlphanumericUserNames = true,
RequireUniqueEmail = true
};
to my ApplicationUserManager class, but when i try to create a new user, its not being used.
Im making some mistake?
Thanks
Reply
Taiseer Joudeh says

Hello Fabio,
Can you show me how did you register your AppUserManager there should be soemthing missing.
Reply
LK says
March 9, 2017 at 1:32 am
2 years later and this walk-through is still extremely helpful. Bravo and thank you!
I’m new to API access security, so a few questions for you:
1) When you mention changing the “Con rmEmail” route to POST, could you elaborate on how this would be
BIT done?
OF TECHNOLOGY
The only way I can fathom would be to send a link that leads to a webpage (something like
http://www.mywebsite.com/validate?userid=xxxx&code=xxxx), where the user would then be prompted to enter
the password that they just created for the account. This would effectively stop an unintended user from
validating an account by accident, that they didn’t create.
2) Seeing as these posts ARE 2 years old now, are there any major differences in implementation that you would
recommend given the current state of the .NET Identity Framework?
3) Would you still say that the .NET Identity Framework is one of the best ways to securely manage WebAPI access
by today’s standards? I want to make sure I’m not implementing / familiarizing myself with something that has
quickly fallen behind standard-wise.
Reply
Taiseer Joudeh says

March 11, 2017 at 1:14 pm
Hello LK,
Thanks for your kind comment
Please nd the answers below:
1. If you need to have ultimate security work ow, asking for the password is a better approach, so you need
to include the password when you validate the code and userid/password.
2. If you are using ASP.NET 4.6 (Not ASP.NET Core) this post is very relevant, I believe I was using the latest
version of ASP.NET Identity (2.1) which is used with ASP.NET 4.6
3. Well the Identity framework is used to store your users, roles, claims, etc.. the OWIN middlewares for
Authorization are used to protect your WebAPI, I recommend always to take a look at the ThinkTecture
Identity Server if you want to learn something which is built on OAuth and OpenId connect standards and
provides you SSO, support for multiple clients, etc..
Reply
S Rehman Ali says

March 13, 2017 at 12:28 pm
Hi,
First of all awesome work helped me a lot!!
Second there were some bugs since sendgrid is updated but i gure out error on this line
var transportWeb = new Web(credentials);
what is Web here i cant nd its namespace
Reply
BIT OF TECHNOLOGY
Dima says
June 6, 2017 at 10:04 pm
Great series of articles! Thanks for it!
Reply
Taiseer Joudeh says

June 13, 2017 at 12:47 am
You are welcome Dima
Reply
Leave a Reply
Your email address will not be published. Required elds are marked *
Comment
Name *
Email *
Website
POST COMMENT
BIT OF TECHNOLOGY ABOUT TAISEER
Husband, Father,
Consultant @ MSFT,
Life Time Learner...
Read More…
RECENT POSTS
Integrate Azure AD B2C with ASP.NET

MVC Web App – Part 3
Secure ASP.NET Web API 2 using

Azure AD B2C – Part 2
Azure Active Directory B2C Overview

and Policies Management – Part 1
ASP.NET Web API Claims

Authorization with ASP.NET Identity
2.1 – Part 5
ASP.NET Identity 2.1 Roles Based

Authorization with ASP.NET Web API
– Part 4
BLOG ARCHIVES
Blog Archives
BIT OF TECHNOLOGY Select Month
RECENT POSTS TAGS
Integrate Azure AD B2C with ASP.NET MVC Web App

– Part 3
AJAX AngularJS API API Versioning
Secure ASP.NET Web API 2 using Azure AD B2C – Part ASP.NET Authentication Autherization
2 Server Azure Active Directory B2C Azure AD B2C
Azure Active Directory B2C Overview and Policies basic authentication C# CacheCow Client Side Templating Code
Management – Part 1
First Dependency Injection Entity
ASP.NET Web API Claims Authorization with ASP.NET
Framework ETag Foursquare API HTTP Caching
Identity 2.1 – Part 5
HTTP Verbs IMDB API IoC Javascript jQuery JSON JSON Web
ASP.NET Identity 2.1 Roles Based Authorization with Tokens JWT Model Factory Ninject OAuth OData
ASP.NET Web API – Part 4
Pagination Resources Association Resource Server REST
RESTful Single Page Applications SPA
Token Authentication Tutorial
Web API Web API 2 Web API

Security Web Service wordpress.com
SEARCH
Search this website …
Copyright © 2017 ·eleven40 Pro Theme · Genesis Framework by StudioPress · WordPress · Log in

Api Rest

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Api Rest

Diunggah oleh

Hak Cipta:

Format Tersedia

14/7/2017 ASP.NET Identity 2.

1 Accounts Confirmation, and Password Policy Configuration - Part 2 - Bit of Technology

ARCHIVE ABOUT ME SPEAKING CONTACT

ASP.NET Identity 2.1 Accounts Con rmation, and Password

Share 16 Tweet Share 11 7  Email

The source code for this tutorial is available on GitHub.

ASP.NET Identity 2.1 Accounts Con rmation, and Password/User Policy

Send Con rmation Emails after Account Creation.

1 . Send Con rmation Emails after Account Creation

which is tied to this user only and valid for

Once the user opens this email and clicks on

To do so we need to add a service which is

1.1 Install Send Grid

1.2 Add Email Service

1 public class EmailService : IIdentityMessageService

1 public static ApplicationUserManager Create(IdentityFactoryOptions<ApplicationUserManager> options, IOwinContext context

1.3 Send the Email after Account Creation

1 //Rest of code is removed for brevity

1.4 Add the Con rm Email URL

2. Con gure User (Username, Email) and Password policy

2. Con gure User (Username, Email) and Password policy

1 //Rest of code is removed for brevity

2.2 Change Password Policy

1 //Rest of code is removed for brevity

2.3 Implement Custom Policy for User Email and Password

1 public class MyCustomUserValidator : UserValidator<ApplicationUser>

1 //Rest of code is removed for brevity

1 public class MyCustomPasswordValidator : PasswordValidator

3. Enable Changing Password and Deleting Account

3.1 Add Change Password Endpoint

1 public class ChangePasswordBindingModel

3.2 Delete User Account

The source code for this tutorial is available on GitHub.

Taiseer Joudeh says

Akinsanya Olanrewaju says

Taiseer Joudeh says

When is the next post? Waiting for it!

Taiseer Joudeh says

Glad it was useful, most probably tomorrow keep tuned!

Taiseer Joudeh says

Tony Pollard says

Taiseer Joudeh says

Miguel Delgado says

the Url.Link raises the exception

I checked the function signature and it matches…

Taiseer Joudeh says

February 16, 2015 at 10:23 am

Taiseer Joudeh says

About the endly token:

> IDataProtector dataProtector = dataProtectionProvider.Create(“ASP.NET Identity”);

> this.UserTokenProvider = new EmailTokenProvider();

About the con rmation message:

var response = new HttpResponseMessage(HttpStatusCode.OK);

About steps overhead and usability in mobile applications:

1. You send the welcome-con rmation email

Thanks for your answer!

ps: is there anyway to tag text as code in the comments?

Akinsanya Olanrewaju says

This is the error i get http://prntscr.com/6g70z4

I have done all i needed to do, i dont know am doing wrong

Can someone help me out.

Taiseer Joudeh says

I dont get the interface >> IIdentityMessageService

Taiseer Joudeh says