生成重置密码令牌在 Azure 网站中不起作用 [英] Generating reset password token does not work in Azure Website
问题描述
我正在使用 ASP.NET 5 附带的内置 UserManager 类在我的网站上实现重置密码功能.
I am implementing reset password functionality on my site by using the in-built UserManager class that comes with ASP.NET 5.
在我的开发环境中一切正常.但是,一旦我在作为 Azure 网站运行的生产站点中尝试它时,就会出现以下异常:
Everything works fine in my dev environment. However, once I try it in the production site that is running as an Azure website, I get the following exception:
System.Security.Cryptography.CryptographicException:数据保护操作不成功.这可能是因为没有为当前线程的用户上下文加载用户配置文件,这可能是线程模拟时的情况.
System.Security.Cryptography.CryptographicException: The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating.
这是我设置 UserManager 实例的方式:
This is how I setup the UserManager instance:
var provider = new Microsoft.Owin.Security.DataProtection.DpapiDataProtectionProvider(SiteConfig.SiteName);
UserManager.UserTokenProvider = new Microsoft.AspNet.Identity.Owin.DataProtectorTokenProvider<User>(provider.Create(ResetPasswordPurpose));
然后,我这样生成令牌(通过电子邮件发送给用户,以便他们可以验证他们确实想重置密码):
Then, I generate the token thusly (to be sent to the user in an email so that they can verify that they do indeed want to reset their password):
string token = UserManager.GeneratePasswordResetToken(user.Id);
不幸的是,当它在 Azure 上运行时,我得到了上面的异常.
Unfortunately, when this runs on Azure, I get the exception above.
我在谷歌上搜索并找到了这个可能的解决方案.但是,它根本不起作用,我仍然遇到相同的异常.
I've Googled around and found this possible solution. However, it didn't work at all and I still get the same exception.
根据链接,它与会话令牌在像 Azure 这样的网络场上不起作用有关.
According to the link, it has something to do with session tokens not working on a web farm like Azure.
推荐答案
DpapiDataProtectionProvider 利用 DPAPI 在网络农场/云环境中无法正常工作,因为加密数据只能由加密它的机器解密.您需要的是一种加密数据的方法,以便您环境中的任何机器都可以对其进行解密.不幸的是,ASP.NET Identity 2.0 不包括除 DpapiDataProtectionProvider 之外的任何其他 IProtectionProvider 实现.不过,自己动手并不太难.
The DpapiDataProtectionProvider utilizes DPAPI which will not work properly in a web farm/cloud environment since encrypted data can only be decrypted by the machine that encypted it. What you need is a way to encrypt data such that it can be decrypted by any machine in your environment. Unfortunately, ASP.NET Identity 2.0 does not include any other implementation of IProtectionProvider other than DpapiDataProtectionProvider. However, it's not too difficult to roll your own.
一种选择是利用 MachineKey 类如下:
One option is to utilize the MachineKey class as follows:
public class MachineKeyProtectionProvider : IDataProtectionProvider
{
public IDataProtector Create(params string[] purposes)
{
return new MachineKeyDataProtector(purposes);
}
}
public class MachineKeyDataProtector : IDataProtector
{
private readonly string[] _purposes;
public MachineKeyDataProtector(string[] purposes)
{
_purposes = purposes;
}
public byte[] Protect(byte[] userData)
{
return MachineKey.Protect(userData, _purposes);
}
public byte[] Unprotect(byte[] protectedData)
{
return MachineKey.Unprotect(protectedData, _purposes);
}
}
要使用此选项,您需要遵循几个步骤.
In order to use this option, there are a couple of steps that you would need to follow.
第一步
修改您的代码以使用 MachineKeyProtectionProvider.
Modify your code to use the MachineKeyProtectionProvider.
using Microsoft.AspNet.Identity.Owin;
// ...
var provider = new MachineKeyProtectionProvider();
UserManager.UserTokenProvider = new DataProtectorTokenProvider<User>(
provider.Create("ResetPasswordPurpose"));
第 2 步
在您的网络场/云环境中的所有机器上同步 MachineKey 值.这听起来很吓人,但这与我们之前执行过无数次相同的步骤是为了让 ViewState 验证在 Web 场中正常工作(它还使用 DPAPI).
Synchronize the MachineKey value across all the machines in your web farm/cloud environment. This sounds scary, but it's the same step that we've performed countless times before in order to get ViewState validation to work properly in a web farm (it also uses DPAPI).
这篇关于生成重置密码令牌在 Azure 网站中不起作用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
