ASP.NET Identity 2.0: How to Rephrase a Password
I am migrating users from the old user store to ASP.NET Identity 2.0 in my ASP.NET 5.0 web application. I have a stale hash checker, but I want to update them at login time to ASP.NET Identity 2.0 hashes.
I created a custom IPasswordHasher
one that is capable of detecting and checking stale hashes and returning PasswordVerificationResult.SuccessRehashNeeded
at the appropriate time. (If it finds that the hash is not stale, it just goes to ASP.NET inline ID hash verification.)
However, the return PasswordVerificationResult.SuccessRehashNeeded
doesn't appear to result in ASP.NET Identity actually doing nothing. Is there a configuration option somewhere that will cause the system to rerun the passwords when IPasswordHasher returns this result?
If the answer doesn't match the above, then am I recommended to just reuse the hash and update the user manually? Where would I do it? I don't see any place at the controller level where I can see the PasswordVerificationResult.
I'm new to ASP.NET Identity, so I'm pretty sure I'm missing something simple. Thank you in advance for any pointers.
source to share
It seems the rehashing mechanism is not implemented in the built-in custom manager. But hopefully you could easily implement. consider this:
public class ApplicationUserManager : UserManager<ApplicationUser>
{
protected override async Task<bool> VerifyPasswordAsync(
IUserPasswordStore<ApplicationUser, string> store,
ApplicationUser user, string password)
{
var hash = await store.GetPasswordHashAsync(user);
var verifyRes = PasswordHasher.VerifyHashedPassword(hash, password);
if (verifyRes == PasswordVerificationResult.SuccessRehashNeeded)
await store.SetPasswordHashAsync(user, PasswordHasher.HashPassword(password));
return verifyRes != PasswordVerificationResult.Failed;
}
}
source to share