What is ASP.NET Identity's IUserSecurityStampStore<TUser> interface?
Solution 1:
This is meant to represent the current snapshot of your user's credentials. So if nothing changes, the stamp will stay the same. But if the user's password is changed, or a login is removed (unlink your google/fb account), the stamp will change. This is needed for things like automatically signing users/rejecting old cookies when this occurs, which is a feature that's coming in 2.0.
Identity is not open source yet, its currently in the pipeline still.
Edit: Updated for 2.0.0. So the primary purpose of the SecurityStamp
is to enable sign out everywhere. The basic idea is that whenever something security related is changed on the user, like a password, it is a good idea to automatically invalidate any existing sign in cookies, so if your password/account was previously compromised, the attacker no longer has access.
In 2.0.0 we added the following configuration to hook the OnValidateIdentity
method in the CookieMiddleware
to look at the SecurityStamp
and reject cookies when it has changed. It also automatically refreshes the user's claims from the database every refreshInterval
if the stamp is unchanged (which takes care of things like changing roles etc)
app.UseCookieAuthentication(new CookieAuthenticationOptions {
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
Provider = new CookieAuthenticationProvider {
// Enables the application to validate the security stamp when the user logs in.
// This is a security feature which is used when you change a password or add an external login to your account.
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
validateInterval: TimeSpan.FromMinutes(30),
regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
}
});
If your app wants to trigger this behavior explicitly, it can call:
UserManager.UpdateSecurityStampAsync(userId);
Solution 2:
The UseCookieAuthentication is deprecated by now. I managed to configure it using
services.Configure<SecurityStampValidatorOptions>(o =>
o.ValidationInterval = TimeSpan.FromSeconds(10));
Moved from reply to answer per request.
Solution 3:
I observed the SecurityStamp to be required for token verification.
To repo: Set SecurityStamp to null in the databsae Generate a token (works ok) Verify token (fails)