Unable to Confirm Email using Default Token Provider

[Exagram]

Describe the bug

Goals

I want to force newly-registered users to verify their emails before using my site. I assume that I have to use UserManager.GenerateEmailConfirmationTokenAsync(), TokenOptions.EmailConfirmationTokenProvider, `UserManager.ConfirmEmailAsync(). However when I sequentially call these methods I always get back "invalid token".

Token Provider Mismatch?

• I added a breakpoint in your library / class "UserManager.cs", and found out that TokenOptions.EmailConfirmationTokenProvider = DefaultProvider, not Email like DefaultEmailProvider. Is this a bug?
• In the documentation (https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.identity.tokenoptions.emailconfirmationtokenprovider?view=aspnetcore-3.1#Microsoft_AspNetCore_Identity_TokenOptions_EmailConfirmationTokenProvider) I see EmailConfirmationTokenProvider mentions IUserTwoFactorTokenProvider<TUser>. Confused. I'm trying to implement email confirmation not two-factor authentication.

Changing the EmailConfirmationTokenProvider = "Email" works?

In startup.cs I added:

services.AddIdentity<CustomUser, CustomRole>(options => {
    options.Tokens.EmailConfirmationTokenProvider = TokenOptions.DefaultEmailProvider;
});

• Instead of 200-char hex verification codes I get back a 6-digit number. I am able to confirm my email! However I want to understand the reason for why Identity is failing and second use the default 200-char hex verification codes.

Note: I've switched between making all my services/repo's transient and singletones and that didn't help.

I've found the documentation (https://docs.microsoft.com/en-us/aspnet/core/security/authentication/identity-custom-storage-providers?view=aspnetcore-3.1 and https://docs.microsoft.com/en-us/aspnet/core/security/authentication/accconfirm?view=aspnetcore-3.1&tabs=visual-studio#scaffold-registerconfirmation) to not have enough details to solve these above mentioned ambiguities.

To Reproduce

Startup.cs:

//ConfigureServices():
services.AddSingleton<IPasswordHasher<CustomUser>, PasswordHasher<CustomUser>>();
services.AddSingleton<ISqlConnectionFactory, SqlConnectionFactory>();
services.AddSingleton<IUserRepository, UserRepository>();
services.AddSingleton<IRoleStore<CustomRole>, CustomRoleStore>();
services.AddSingleton<IUserStore<CustomUser>, CustomUserStore>();
services.AddControllers();
services.AddIdentity<CustomUser, CustomRole>().AddDefaultTokenProviders();
services.ConfigureApplicationCookie(options => {...});
services.AddAuthorization();
//Configure():
builder.UseAuthentication();
builder.UseAuthorization();
builder.UseEndpoints(endpoints =>
                {
                    endpoints.MapControllers();
                });

CustomUserStore:

public class CustomUserStore : IUserStore<CustomUser>, IUserPasswordStore<CustomUser>, IUserRoleStore<CustomUser>, IUserEmailStore<CustomUser>, IUserSecurityStampStore<CustomUser> { ... }

CustomRoleStore:

public class CustomRoleStore : IRoleStore<CustomRole>, IRoleClaimStore<CustomRole>, IDisposable { ... }

Exceptions (if any)

"Invalid token"

Further technical details

• ASP.NET Core version 3.1.6
• Include the output of dotnet --info

.NET Core SDK (reflecting any global.json):
 Version:   3.1.302
 Commit:    41faccf259

Runtime Environment:
 OS Name:     Windows
 OS Version:  10.0.18363
 OS Platform: Windows
 RID:         win10-x64
 Base Path:   C:\Program Files\dotnet\sdk\3.1.302\

Host (useful for support):
  Version: 3.1.6
  Commit:  3acd9b0cd1

.NET Core SDKs installed:
  2.1.700 [C:\Program Files\dotnet\sdk]
  2.2.300 [C:\Program Files\dotnet\sdk]
  3.1.302 [C:\Program Files\dotnet\sdk]

.NET Core runtimes installed:
  Microsoft.AspNetCore.All 2.1.11 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.All 2.1.20 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.All 2.2.5 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.All 2.2.8 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.App 2.1.11 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 2.1.20 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 2.2.5 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 2.2.8 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 3.1.6 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 2.1.11 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 2.1.20 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 2.2.5 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 2.2.8 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 3.1.6 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.WindowsDesktop.App 3.1.6 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]

• The IDE (VS / VS Code/ VS4Mac) you're running on, and it's version
  VS 2019 Community Latest

[HaoK]

Email confirmation is usually sent via email with a data protection link which is that 200 hex string that you see. The naming of the interfaces was unfortunately a bit too specific, you can think of them as just TokenProviders they aren't tied to two factor in any way, but that was their intended purpose originally

[Exagram]

@HaoK Yes that is an obvious answer. However email confirmation and password reset don't properly work. I want to debug the issue however the API's don't return the input/persisted values. Can you comment on the remaining questions above?

Thanks for your time!

[HaoK]

They should work if you aren't updating the security stamp of your user in between generating and using the tokens.

[Exagram]

I implemented the interface IUserSecurityStampStore<CustomUser>.SetSecurityStampAsync() as follows:

public Task SetSecurityStampAsync(CustomUser user, string stamp, CancellationToken cancellationToken)
        {
            cancellationToken.ThrowIfCancellationRequested();
            if (user == null) throw new ArgumentNullException(nameof(user));
            if (string.IsNullOrEmpty(stamp)) throw new ArgumentNullException(nameof(stamp));
            user.SecurityStamp = stamp;
            return Task.CompletedTask;
        }

I see zero references of this function in my code.

What is the recommended dependency level for the custom stores? I noticed UserManager and SignInManager throw a cyclic dependency issues when I add them to my singleton domain service constructors. Were these managers set as scoped on purpose? Should my custom password hasher, user/role stores likewise be set to scoped (see below)?

services.AddSingleton<IPasswordHasher<CustomUser>, PasswordHasher<CustomUser>>();
services.AddSingleton<IUserStore<CustomUser>, CustomUserStore>();
services.AddSingleton<IRoleStore<CustomRole>, CustomRoleStore>();

[HaoK]

Yes they are scoped by default since the stores are scoped due to dependencies on httpcontext and dbcontext which are request scoped as well. SetSecurityStamp happens via user manager (or explicit in app) calls to UpdateSecurityStamp

Thank you for contacting us. Due to a lack of activity on this discussion issue we're closing it in an effort to keep our backlog clean. If you believe there is a concern related to the ASP.NET Core framework, which hasn't been addressed yet, please file a new issue.

This issue will be locked after 30 more days of inactivity. If you still wish to discuss this subject after then, please create a new issue!