Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add reset password support to identity endpoints #47231

Closed
Tracked by #47288
halter73 opened this issue Mar 15, 2023 · 2 comments · Fixed by #49498
Closed
Tracked by #47288

Add reset password support to identity endpoints #47231

halter73 opened this issue Mar 15, 2023 · 2 comments · Fixed by #49498
Assignees
@halter73
Labels
api-approved API was approved in API review, it can be implemented area-identity Includes: Identity and providers enhancement This issue represents an ask for new feature or an enhancement to an existing one feature-token-identity Priority:0 Work that we can't release without
Milestone
8.0-preview7

Comments

@halter73
Copy link
Member

halter73 commented Mar 15, 2023
edited
Loading

Background and Motivation

Add email confirmation and reset password support to identity endpoints.

Proposed API

// Microsoft.Extensions.Identity.Core.dll

// This namespace and interface already exist in Microsoft.AspNetCore.Identity.UI.dll
// but is new in Microsoft.Extensions.Identity.Core.dll
+ namespace Microsoft.AspNetCore.Identity.UI.Services;

+ public interface IEmailSender
+ {
+    Task SendEmailAsync(string email, string subject, string htmlMessage);
+ }

// Used so that Identity UI's unconfigured email sender logic works the same way regardless of whether
// it was added by AddApiEndpoints or AddDefaultUI
+ public sealed class NoOpEmailSender : IEmailSender
+ {
+    public Task SendEmailAsync(string email, string subject, string htmlMessage) => Task.CompletedTask;
+ }

// Microsoft.AspNetCore.Identity.UI.dll
+ [assembly: TypeForwardedTo(typeof(IEmailSender))]

Usage Examples

https://www.twilio.com/blog/how-to-send-asp-net-core-identity-emails-with-twilio-sendgrid

Alternative Designs

Create a new duplicate interface in a better namespace like just Microsoft.AspNetCore.Identity. Possibly use different methods for different kind of emails. E.g. SendConfirmationEmail, SendPasswordResetEmail, etc... Maybe this could be parameterized by TUser.

Risks

If people wanted to use Identity UI and Identity API endpoints in the same app with different email senders. This could make that hard or impossible to do.
@dotnet-issue-labeler dotnet-issue-labeler bot added area-identity Includes: Identity and providers untriaged labels Mar 15, 2023
@mkArtakMSFT mkArtakMSFT added enhancement This issue represents an ask for new feature or an enhancement to an existing one and removed untriaged labels Mar 15, 2023
@mkArtakMSFT mkArtakMSFT added this to the 8.0-preview4 milestone Mar 15, 2023
@LadyNaggaga LadyNaggaga mentioned this issue Mar 16, 2023
Closed
5 tasks
This was referenced Mar 17, 2023
Closed
Closed
@mkArtakMSFT mkArtakMSFT added the Priority:0 Work that we can't release without label Mar 17, 2023
This was referenced Jul 21, 2023
Merged
Merged
mkArtakMSFT pushed a commit that referenced this issue Jul 21, 2023
@github-actions
[release/8.0-preview7] Add more MapIdentityApi endpoints (#49559)
0c0bc01 
Backport of #49498 to release/8.0-preview7

/cc @halter73

# Add more MapIdentityApi endpoints
## Description

This adds the following new endpoints:

- GET /confirmEmail
- POST /resendConfirmationEmail
- POST /resetPassword
- GET /account/2fa
- POST /account/2fa
- GET /account/info
- POST /account/info

Additionally, the existing /login endpoint now accepts 2fa codes and 2fa recovery codes as part of the request body. These can be queried and regenerated from /account/2fa. The /login endpoint now also gives limited failure reasons in the form of application/problem+json instead of empty 401 responses with details such as "LockedOut", "RequiresTwoFactor", "NotAllowed" (usually because lack of email confirmation), and the generic "Failed" statuses.

Fixes #47232 (lockout support)
Fixes #47231 (reset password support)
Fixes #47230 (2fa support)
Fixes #47229 (change username and password)
Fixes #49404 (Removes AddIdentityBearerToken which is no longer needed)

## Customer Impact

This makes the MapIdentityApi API introduced in preview4 more usable. See https://devblogs.microsoft.com/dotnet/asp-net-core-updates-in-dotnet-8-preview-4/#auth where we promised the following.

> In addition to user registration and login, the identity API endpoints will support features like two-factor authentication and email verification in upcoming previews. You can find a list of planned features in the issues labeled [feature-token-identity](https://github.com/dotnet/aspnetcore/issues?q=is%3Aopen+label%3Afeature-token-identity+sort%3Aupdated-desc) on the ASP.NET Core GitHub repository.

This PR adds all of these features, and it's important to make this available to customers as soon as possible, so we have time to react to any feedback. It appears customers are [excited to give it a go.](https://www.reddit.com/r/programming/comments/13jxcsx/aspnet_core_updates_in_net_8_preview_4_net_blog/jki0p3g/)

## Regression?

- [ ] Yes
- [x] No

## Risk

- [ ] High
- [ ] Medium
- [x] Low

This is primarily new API with minimal changes to SignInManager that should have no impact unless used by the new MapIdentityApi endpoints.

## Verification

- [x] Manual (required)
- [x] Automated

## Packaging changes reviewed?

- [ ] Yes
- [ ] No
- [x] N/A
@halter73 halter73 added the api-ready-for-review API is ready for formal API review - https://github.com/dotnet/apireviews label Jul 24, 2023
@ghost
Copy link

ghost commented Jul 24, 2023

Thank you for submitting this for API review. This will be reviewed by @dotnet/aspnet-api-review at the next meeting of the ASP.NET Core API Review group. Please ensure you take a look at the API review process documentation and ensure that:

  • The PR contains changes to the reference-assembly that describe the API change. Or, you have included a snippet of reference-assembly-style code that illustrates the API change.
  • The PR describes the impact to users, both positive (useful new APIs) and negative (breaking changes).
  • Someone is assigned to "champion" this change in the meeting, and they understand the impact and design of the change.

@halter73
Copy link
Member Author

halter73 commented Jul 24, 2023
edited
Loading

API Review Notes:

  • Can the string htmlMessage be null or empty?
    • Sure, but we can promise to always send a non-null string. We'll make it "" if we want empty.
  • What do we think about NoOp in the name?
  • Will the TypeForwardedTo cause problems since it's in a package and referencing a type now in the shared framework?
    • It could cause compilation issues due to two types with the same name in different assemblies, but we think this is okay. If you're recompiling, update the shared runtime.

API Approved!

// Microsoft.Extensions.Identity.Core.dll
+ namespace Microsoft.AspNetCore.Identity.UI.Services;

+ public interface IEmailSender
+ {
+    Task SendEmailAsync(string email, string subject, string htmlMessage);
+ }

+ public sealed class NoopEmailSender : IEmailSender
+ {
+    public Task SendEmailAsync(string email, string subject, string htmlMessage) => Task.CompletedTask;
+ }

// Microsoft.AspNetCore.Identity.UI.dll
+ [assembly: TypeForwardedTo(typeof(IEmailSender))]

@halter73 halter73 added api-approved API was approved in API review, it can be implemented and removed api-ready-for-review API is ready for formal API review - https://github.com/dotnet/apireviews labels Jul 24, 2023
@ghost ghost locked as resolved and limited conversation to collaborators Aug 27, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@halter73 halter73

Labels
api-approved API was approved in API review, it can be implemented area-identity Includes: Identity and providers enhancement This issue represents an ask for new feature or an enhancement to an existing one feature-token-identity Priority:0 Work that we can't release without
Projects
None yet
Milestone
8.0-preview7
Development

Successfully merging a pull request may close this issue.

Add more MapIdentityApi endpoints dotnet/aspnetcore
3 participants
@halter73 @mkArtakMSFT and others