Clever Geek Handbook

Can / should IdentityServer4 be used to generate a token for user authentication

I have an IdentityServer4 setup for API authentication, although I have a use case where I want to verify that a guest (user) is essentially a valid user. A valid user in my case is anyone with a valid email address, so I want to do the following:

  • send the user an email with a verification token (preferably something that is a blur of their email address, some salt and expiration
  • the user can then enter this token into my application and they are allowed to go ahead

I was wondering if I should use IdentityServer4 to achieve the above?

Their tools show that you can generate a token, although I am very new to this topic so I was hoping for some guidance.

+3


source to share


1 answer


No, these include Identity Server - access_tokens, which are related to claims based authentication.

The tokens that need to be used to verify email are usually referred to as user tokens or one-time passwords (OTP). You can find a lot of information on how to generate / consume them using these search terms, but if you use aspnet identity classes like UserManager

you will find it has a built in read to use. Or you can register your own UserTokenProvider

with UserManager

.

In general, you would do something like this:



  • Use UserTokenProvider to get a token (otp) for a specific user. The UserManager will use that user's security hash and your own "reason" (eg "EmailVerification") to generate a short OTP.
  • Then you can wrap that OTP in an object that includes an email address, maybe a userid and whatever you like. Safe Base64 encodes it (there is a helper function in Identity Server that has this in fact, making sure there is no extra _ at the end of this to be messy with HTML links) put it in the email to the user
  • The user clicks on your link, which takes them to your password validator controller, with the token embossed as the payload. You will decrypt it, determine what user it was for, ask the UserManager to check that the OTP part is still valid.
  • Work is done.

If you want them to directly enter the OTP into your app at login time, you could just skip the entire email portion to email and email a short OTP directly.

+5


source






More articles:


All Articles