MVC ResetPasswordAsync not working across different website

When you generate a token using the GeneratePasswordResetTokenAsync call, ASP.NET Identity creates an encrypted token using built in Data Protection APIs.

The Data Protection APIs use a “Key Ring” to encrypt and decrypt the token. By default, this “Key Ring” is stored locally on the server file system. This behavior is documented here.

The ASP.NET Core Data Protection system is used by apps to protect data. Data Protection relies upon a set of cryptographic keys stored in a key ring. When the Data Protection system is initialized, it applies default settings that store the key ring locally. Under the default configuration, a unique key ring is stored on each node of the web farm. Consequently, each web farm node can’t decrypt data that’s encrypted by an app on any other node.

In your scenario, because the reset token is being generated in Site B and then being used in Site A, the token cannot be decrypted. Site A does not know how to decrypt a token generated by Site B because they do not share the same “Key Ring”.

In order to fix this, you need to configure both Site A and Site B to use a central (secure) location to store the “Key Ring” as outlined here.

CLICK HERE to find out more related problems solutions.

Leave a Comment

Your email address will not be published.

Scroll to Top