生成密码重置令牌不天青网站工作 [英] Generating reset password token does not work in Azure Website
问题描述
我用自带的ASP.NET 5内置的UserManager类实现我的网站上重置密码的功能。
I am implementing reset password functionality on my site by using the in-built UserManager class that comes with ASP.NET 5.
一切都在我的开发环境正常工作。但是,一旦我尝试在运行作为一个Azure的网站上的生产现场,我得到以下异常:
Everything works fine in my dev environment. However, once I try it in the production site that is running as an Azure website, I get the following exception:
System.Security.Cryptography.CryptographicException: The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating.
这是我如何设置的实例的UserManager:
This is how I setup the UserManager instance:
var provider = new Microsoft.Owin.Security.DataProtection.DpapiDataProtectionProvider(SiteConfig.SiteName);
UserManager.UserTokenProvider = new Microsoft.AspNet.Identity.Owin.DataProtectorTokenProvider<User>(provider.Create(ResetPasswordPurpose));
然后,我生成令牌正是如此(以电子邮件发送给用户,使他们能够验证它们确实要重置其密码):
Then, I generate the token thusly (to be sent to the user in an email so that they can verify that they do indeed want to reset their password):
string token = UserManager.GeneratePasswordResetToken(user.Id);
不幸的是,当这种运行在Azure上,我得到上述的异常。
Unfortunately, when this runs on Azure, I get the exception above.
我用Google搜索周围,发现了这个<一个href=\"http://brockallen.com/2013/02/18/configuring-machine-key-protection-of-session-tokens-in-wif-and-thinktecture-identitymodel/\">possible解决方案。然而,它并没有在所有的工作,我仍然会得到相同的异常。
I've Googled around and found this possible solution. However, it didn't work at all and I still get the same exception.
据该链接,它就在那里是与不工作的一个Web场像Azure的会话令牌。
According to the link, there it is something to do with session tokens not working on a web farm like Azure.
推荐答案
该DpapiDataProtectionProvider利用 DPAPI 这不会在Web场/云环境中正常工作,因为加密的数据只能由已加密,本机解密。你需要的是加密数据,使得它可以由任何机器环境中的被解密的一种方法。不幸的是,ASP.NET 2.0身份不包括除DpapiDataProtectionProvider以外的任何其他实现IProtectionProvider的。但是,这不是太困难的推出自己的。
The DpapiDataProtectionProvider utilizes DPAPI which will not work properly in a web farm/cloud environment since encrypted data can only be decrypted by the machine that encypted it. What you need is a way to encrypt data such that it can be decrypted by any machine in your environment. Unfortunately, ASP.NET Identity 2.0 does not include any other implementation of IProtectionProvider other than DpapiDataProtectionProvider. However, it's not too difficult to roll your own.
一种选择是利用将machineKey类如下:
public class MachineKeyProtectionProvider : IDataProtectionProvider
{
public IDataProtector Create(params string[] purposes)
{
return new MachineKeyDataProtector(purposes);
}
}
public class MachineKeyDataProtector : IDataProtector
{
private readonly string[] _purposes;
public MachineKeyDataProtector(string[] purposes)
{
_purposes = purposes;
}
public byte[] Protect(byte[] userData)
{
return MachineKey.Protect(userData, _purposes);
}
public byte[] Unprotect(byte[] protectedData)
{
return MachineKey.Unprotect(protectedData, _purposes);
}
}
为了使用此选项,有一对夫妇,你将需要按照步骤。
In order to use this option, there are a couple of steps that you would need to follow.
第1步
修改您的code使用MachineKeyProtectionProvider。
Modify your code to use the MachineKeyProtectionProvider.
using Microsoft.AspNet.Identity.Owin;
// ...
var provider = new MachineKeyProtectionProvider();
UserManager.UserTokenProvider = new DataProtectorTokenProvider<User>(
provider.Create("ResetPasswordPurpose"));
第2步
<一个href=\"http://msdn.microsoft.com/en-us/library/ff649308.aspx#paght000007_webfarmdeploymentconsiderations\">Synchronize在Web农场/云环境将machineKey 在所有计算机上的价值。这听起来很吓人,但它是我们为了进行无数次之前得到的ViewState验证到Web场中的正常工作(它也使用DPAPI)。
Synchronize the MachineKey value across all the machines in your web farm/cloud environment. This sounds scary, but it's the same step that we've performed countless times before in order to get ViewState validation to work properly in a web farm (it also uses DPAPI).
这篇关于生成密码重置令牌不天青网站工作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
