Generate and validate OWIN user tokens across domains

I would like to know whether it's possible to validate ASP.NET Identity user tokens on website 1, generated on website 2.

In my case, both websites actually use the same UserManager, which is defined in an assembly that both sites use. Startup.Auth.cs is identitical for the two sites. However, a token generated on the first site fails to validate on the other one.

Code used on first website to generate token:

string userId = User.Identity.GetUserId(); var manager = HttpContext.GetOwinContext().GetUserManager<ApplicationUserManager>(); string token = await manager.GenerateUserTokenAsync("SomePurpose", userId); 

Then passed as query parameters to the other website:

var manager = HttpContext.GetOwinContext().GetUserManager<ApplicationUserManager>();  if (await manager.VerifyUserTokenAsync(userId, "SomePurpose", token))  {     // Do something } 

Validation always fails in this scenario. If I validate the token on the same site where it was generated, it passes.

Here's how the token provider is assigned in ApplicationUserManager (options.DataProtectionProvider is of type CallDataProtectionProvider at runtime):

var dataProtectionProvider = options.DataProtectionProvider;  if (dataProtectionProvider != null) {     manager.UserTokenProvider =         new DataProtectorTokenProvider<UserProfile>(dataProtectionProvider.Create("SomeName")); } 

Is this behavior intentional or am I doing something wrong?

1 Answers

Answers 1

It turns out token generation and verification use the machine key. To generate/verify, the websites need to have the same machineKey configured.

If You Enjoyed This, Take 5 Seconds To Share It

• Facebook
• Twitter
• Google+
• StumbleUpon
• Digg
• Delicious
• LinkedIn
• Reddit
• Technorati