ASP.NET Identity reset password

In current release\n\nAssuming you have handled the verification of the request to reset the forgotten password, use following code as a sample code steps.\n\nApplicationDbContext =new ApplicationDbContext()\nString userId = \"<YourLogicAssignsRequestedUserId>\";\nString newPassword = \"<PasswordAsTypedByUser>\";\nApplicationUser cUser = UserManager.FindById(userId);\nString hashedNewPassword = UserManager.PasswordHasher.HashPassword(newPassword);\nUserStore<ApplicationUser> store = new UserStore<ApplicationUser>(); \nstore.SetPasswordHashAsync(cUser, hashedNewPassword);\n\n\nIn AspNet Nightly Build\n\nThe framework is updated to work with Token for handling requests like ForgetPassword. Once in release, simple code guidance is expected.\n\nUpdate:\n\nThis update is just to provide more clear steps.\n\nApplicationDbContext context = new ApplicationDbContext();\nUserStore<ApplicationUser> store = new UserStore<ApplicationUser>(context);\nUserManager<ApplicationUser> UserManager = new UserManager<ApplicationUser>(store);\nString userId = User.Identity.GetUserId();//\"<YourLogicAssignsRequestedUserId>\";\nString newPassword = \"test@123\"; //\"<PasswordAsTypedByUser>\";\nString hashedNewPassword = UserManager.PasswordHasher.HashPassword(newPassword); \nApplicationUser cUser = await store.FindByIdAsync(userId);\nawait store.SetPasswordHashAsync(cUser, hashedNewPassword);\nawait store.UpdateAsync(cUser);\n",

Deprecated\n\nThis was the original answer. It does work, but has a problem. What if AddPassword fails? The user is left without a password.\n\nThe original answer: we can use three lines of code:\n\nUserManager<IdentityUser> userManager = \n new UserManager<IdentityUser>(new UserStore<IdentityUser>());\n\nuserManager.RemovePassword(userId);\n\nuserManager.AddPassword(userId, newPassword);\n\n\nSee also: http://msdn.microsoft.com/en-us/library/dn457095(v=vs.111).aspx\n\nNow Recommended\n\nIt's probably better to use the answer that EdwardBrey proposed and then DanielWright later elaborated with a code sample.",

On your UserManager, first call GeneratePasswordResetTokenAsync. Once the user has verified his identity (for example by receiving the token in an email), pass the token to ResetPasswordAsync.",

Best way to Reset Password in Asp.Net Core Identity use for Web API.\nNote* : Error() and Result() are created for internal use. You can return you want.\n [HttpPost]\n [Route("reset-password")]\n public async Task<IActionResult> ResetPassword(ResetPasswordModel model)\n {\n if (!ModelState.IsValid)\n return BadRequest(ModelState);\n try\n {\n if (model is null)\n return Error("No data found!");\n\n\n var user = await _userManager.FindByIdAsync(AppCommon.ToString(GetUserId()));\n if (user == null)\n return Error("No user found!");\n\n Microsoft.AspNetCore.Identity.SignInResult checkOldPassword =\n await _signInManager.PasswordSignInAsync(user.UserName, model.OldPassword, false, false);\n\n if (!checkOldPassword.Succeeded)\n return Error("Old password does not matched.");\n\n string resetToken = await _userManager.GeneratePasswordResetTokenAsync(user);\n if (string.IsNullOrEmpty(resetToken))\n return Error("Error while generating reset token.");\n\n var result = await _userManager.ResetPasswordAsync(user, resetToken, model.Password);\n\n if (result.Succeeded)\n return Result();\n else\n return Error();\n }\n catch (Exception ex)\n {\n return Error(ex);\n }\n }\n",

string message = null;\n//reset the password\nvar result = await IdentityManager.Passwords.ResetPasswordAsync(model.Token, model.Password);\nif (result.Success)\n{\n message = \"The password has been reset.\";\n return RedirectToAction(\"PasswordResetCompleted\", new { message = message });\n}\nelse\n{\n AddErrors(result);\n}\n\n\nThis snippet of code is taken out of the AspNetIdentitySample project available on github",

I think Microsoft guide for ASP.NET Identity is a good start.\n\nhttps://learn.microsoft.com/en-us/aspnet/identity/overview/features-api/account-confirmation-and-password-recovery-with-aspnet-identity\n\nNote:\n\nIf you do not use AccountController and wan't to reset your password, use Request.GetOwinContext().GetUserManager<ApplicationUserManager>();. If you dont have the same OwinContext you need to create a new DataProtectorTokenProvider like the one OwinContext uses. By default look at App_Start -> IdentityConfig.cs. Should look something like new DataProtectorTokenProvider<ApplicationUser>(dataProtectionProvider.Create(\"ASP.NET Identity\"));.\n\nCould be created like this:\n\nWithout Owin:\n\n[HttpGet]\n[AllowAnonymous]\n[Route(\"testReset\")]\npublic IHttpActionResult TestReset()\n{\n var db = new ApplicationDbContext();\n var manager = new ApplicationUserManager(new UserStore<ApplicationUser>(db));\n var provider = new DpapiDataProtectionProvider(\"SampleAppName\");\n manager.UserTokenProvider = new DataProtectorTokenProvider<ApplicationUser>(\n provider.Create(\"SampleTokenName\"));\n\n var email = \"[email protected]\";\n\n var user = new ApplicationUser() { UserName = email, Email = email };\n\n var identityUser = manager.FindByEmail(email);\n\n if (identityUser == null)\n {\n manager.Create(user);\n identityUser = manager.FindByEmail(email);\n }\n\n var token = manager.GeneratePasswordResetToken(identityUser.Id);\n return Ok(HttpUtility.UrlEncode(token));\n}\n\n[HttpGet]\n[AllowAnonymous]\n[Route(\"testReset\")]\npublic IHttpActionResult TestReset(string token)\n{\n var db = new ApplicationDbContext();\n var manager = new ApplicationUserManager(new UserStore<ApplicationUser>(db));\n var provider = new DpapiDataProtectionProvider(\"SampleAppName\");\n manager.UserTokenProvider = new DataProtectorTokenProvider<ApplicationUser>(\n provider.Create(\"SampleTokenName\"));\n var email = \"[email protected]\";\n var identityUser = manager.FindByEmail(email);\n var valid = Task.Run(() => manager.UserTokenProvider.ValidateAsync(\"ResetPassword\", token, manager, identityUser)).Result;\n var result = manager.ResetPassword(identityUser.Id, token, \"TestingTest1!\");\n return Ok(result);\n}\n\n\nWith Owin:\n\n[HttpGet]\n[AllowAnonymous]\n[Route(\"testResetWithOwin\")]\npublic IHttpActionResult TestResetWithOwin()\n{\n var manager = Request.GetOwinContext().GetUserManager<ApplicationUserManager>();\n\n var email = \"[email protected]\";\n\n var user = new ApplicationUser() { UserName = email, Email = email };\n\n var identityUser = manager.FindByEmail(email);\n\n if (identityUser == null)\n {\n manager.Create(user);\n identityUser = manager.FindByEmail(email);\n }\n\n var token = manager.GeneratePasswordResetToken(identityUser.Id);\n return Ok(HttpUtility.UrlEncode(token));\n}\n\n[HttpGet]\n[AllowAnonymous]\n[Route(\"testResetWithOwin\")]\npublic IHttpActionResult TestResetWithOwin(string token)\n{\n var manager = Request.GetOwinContext().GetUserManager<ApplicationUserManager>();\n\n var email = \"[email protected]\";\n var identityUser = manager.FindByEmail(email);\n var valid = Task.Run(() => manager.UserTokenProvider.ValidateAsync(\"ResetPassword\", token, manager, identityUser)).Result;\n var result = manager.ResetPassword(identityUser.Id, token, \"TestingTest1!\");\n return Ok(result);\n}\n\n\nThe DpapiDataProtectionProvider and DataProtectorTokenProvider needs to be created with the same name for a password reset to work. Using Owin for creating the password reset token and then creating a new DpapiDataProtectionProvider with another name won't work. \n\nCode that I use for ASP.NET Identity:\n\nWeb.Config:\n\n<add key=\"AllowedHosts\" value=\"example.com,example2.com\" />\n\n\nAccountController.cs:\n\n[Route(\"RequestResetPasswordToken/{email}/\")]\n[HttpGet]\n[AllowAnonymous]\npublic async Task<IHttpActionResult> GetResetPasswordToken([FromUri]string email)\n{\n if (!ModelState.IsValid)\n return BadRequest(ModelState);\n\n var user = await UserManager.FindByEmailAsync(email);\n if (user == null)\n {\n Logger.Warn(\"Password reset token requested for non existing email\");\n // Don't reveal that the user does not exist\n return NoContent();\n }\n\n //Prevent Host Header Attack -> Password Reset Poisoning. \n //If the IIS has a binding to accept connections on 80/443 the host parameter can be changed.\n //See https://security.stackexchange.com/a/170759/67046\n if (!ConfigurationManager.AppSettings[\"AllowedHosts\"].Split(',').Contains(Request.RequestUri.Host)) {\n Logger.Warn($\"Non allowed host detected for password reset {Request.RequestUri.Scheme}://{Request.Headers.Host}\");\n return BadRequest();\n }\n\n Logger.Info(\"Creating password reset token for user id {0}\", user.Id);\n\n var host = $\"{Request.RequestUri.Scheme}://{Request.Headers.Host}\";\n var token = await UserManager.GeneratePasswordResetTokenAsync(user.Id);\n var callbackUrl = $\"{host}/resetPassword/{HttpContext.Current.Server.UrlEncode(user.Email)}/{HttpContext.Current.Server.UrlEncode(token)}\";\n\n var subject = \"Client - Password reset.\";\n var body = \"<html><body>\" +\n \"<h2>Password reset</h2>\" +\n $\"<p>Hi {user.FullName}, <a href=\\\"{callbackUrl}\\\"> please click this link to reset your password </a></p>\" +\n \"</body></html>\";\n\n var message = new IdentityMessage\n {\n Body = body,\n Destination = user.Email,\n Subject = subject\n };\n\n await UserManager.EmailService.SendAsync(message);\n\n return NoContent();\n}\n\n[HttpPost]\n[Route(\"ResetPassword/\")]\n[AllowAnonymous]\npublic async Task<IHttpActionResult> ResetPasswordAsync(ResetPasswordRequestModel model)\n{\n if (!ModelState.IsValid)\n return NoContent();\n\n var user = await UserManager.FindByEmailAsync(model.Email);\n if (user == null)\n {\n Logger.Warn(\"Reset password request for non existing email\");\n return NoContent();\n } \n\n if (!await UserManager.UserTokenProvider.ValidateAsync(\"ResetPassword\", model.Token, UserManager, user))\n {\n Logger.Warn(\"Reset password requested with wrong token\");\n return NoContent();\n }\n\n var result = await UserManager.ResetPasswordAsync(user.Id, model.Token, model.NewPassword);\n\n if (result.Succeeded)\n {\n Logger.Info(\"Creating password reset token for user id {0}\", user.Id);\n\n const string subject = \"Client - Password reset success.\";\n var body = \"<html><body>\" +\n \"<h1>Your password for Client was reset</h1>\" +\n $\"<p>Hi {user.FullName}!</p>\" +\n \"<p>Your password for Client was reset. Please inform us if you did not request this change.</p>\" +\n \"</body></html>\";\n\n var message = new IdentityMessage\n {\n Body = body,\n Destination = user.Email,\n Subject = subject\n };\n\n await UserManager.EmailService.SendAsync(message);\n }\n\n return NoContent();\n}\n\npublic class ResetPasswordRequestModel\n{\n [Required]\n [Display(Name = \"Token\")]\n public string Token { get; set; }\n\n [Required]\n [Display(Name = \"Email\")]\n public string Email { get; set; }\n\n [Required]\n [StringLength(100, ErrorMessage = \"The {0} must be at least {2} characters long.\", MinimumLength = 10)]\n [DataType(DataType.Password)]\n [Display(Name = \"New password\")]\n public string NewPassword { get; set; }\n\n [DataType(DataType.Password)]\n [Display(Name = \"Confirm new password\")]\n [Compare(\"NewPassword\", ErrorMessage = \"The new password and confirmation password do not match.\")]\n public string ConfirmPassword { get; set; }\n}\n",

Create method in UserManager<TUser, TKey>\n\npublic Task<IdentityResult> ChangePassword(int userId, string newPassword)\n{\n var user = Users.FirstOrDefault(u => u.Id == userId);\n if (user == null)\n return new Task<IdentityResult>(() => IdentityResult.Failed());\n\n var store = Store as IUserPasswordStore<User, int>;\n return base.UpdatePassword(store, user, newPassword);\n}\n",

In case of password reset, it is recommended to reset it through sending password reset token to registered user email and ask user to provide new password. If have created a easily usable .NET library over Identity framework with default configuration settins. You can find details at blog link and source code at github.",

\n Or how can I reset without knowing the current one (user forgot password)?\n\n\nIf you want to change a password using the UserManager but you do not want to supply the user's current password, you can generate a password reset token and then use it immediately instead.\n\nstring resetToken = await UserManager.GeneratePasswordResetTokenAsync(model.Id);\nIdentityResult passwordChangeResult = await UserManager.ResetPasswordAsync(model.Id, resetToken, model.NewPassword);\n",