Control the Expiration of Your OWIN Issued Tokens
You might think: how hard can it be to modify the expiration time of the token, which OWIN issues to verify e.g. the validity of a reset password e-mail? It sounds very simple, indeed.
Even though that’s the case, it is a question I’ve received a few times when being in the context of Episerver.
What is this token?
Let me start with an explanation of what I am looking to achieve with this post. When a user of your website requests to reset his/her password, your Episerver system should be implemented to send out an e-mail with a link for a secure reset-password flow. In order to make that link secure, we often leverage the built-in token issuing service in ASP.NET Identity to generate a public key, which we then validate when the actual reset password action comes in for persistence.
Looking at Quicksilver, the link we end up building with that key can look like this:
How this token get’s generated is something we can control, incl. for how long it stays valid. By default, the expiration is set to 24h.
How to adjust the expiration of it
It is in plain ASP.NET Identity fairly simple to set, through your Startup (via OWIN). Episerver has though not made it as obvious, due to the introduction of non-configurable AddCmsAspNetIdentity middleware.
We though have a simple solution for how to navigate around that configuration limitation.
After the AddCmsAspNetIdentity middleware has been initialized in your Startup.cs, we go in and overwrite OWINs instance of Episerver’s ApplicationUserManager. It enables us to carry a new and refined version of the User Token Provider, with an expiration of 5 days.
Please note that the code presented above is taken out of the context, which means the continued initialization of e.g. UseCookieAuthentication still needs to happen.