I have been struggling with the last step of a password reset using Microsoft Identity Owin.
I tested the following to confirm I can generate a token and reset a user password with it. This works if I execute both lines within the same ActionResult (LostPassword):
var token = UserManager.GeneratePasswordResetToken( tryUser.Id ); UserManager.ResetPassword( tryUser.Id, token, "Test123" );
However if I only generate the token in one action (LostPassword ActionResult), and then try to utilize the password in the (ResetPassword POST) action after confirming the email address, It does not work:
var resetUser = UserManager.FindByEmail(model.Email); UserManager.ResetPassword( resetUser.Id, model.ReturnToken, "Test123" );
I have also broken the code and confirmed that model.ReturnToken is indeed the token generated in the earlier ActionResult (LostPassword), and resetUser.Id is valid and matches the database entry. Somehow the token is not stored/transferred between actions.
Where is the original token stored and can I directly access it, to compare and troubleshoot? Why is it not valid when I retrieve it in another action from the model.ReturnToken? I'm at the brink of storing the code manually but I think it will be better/more secure to use the built in microsoft identity features.