I wanted to upgrade a website from Web Forms to .Net Core 2. In my previous project, I’ve used a custom authentication implementation which hashes user passwords with a salt and sends them a confirmation email which an activation code in it. I didn’t want to recode that part into .net core as Identity 2 provides a more secure and easy way of doing this.
The main challenge for me was to make it work with a MySql backend through Dapper ORM using a custom user table. If you use Entity Framework, it’s a breeze but it’s not that as easy otherwise.
So first things first, you need to implement the interfaces explicitly. I found a GitHub repo which had all the implementations I required. I just needed to adjust it to use my Dapper class and modify the SQL queries so it fetches/updates data using my custom user table.
I needed to provide backward compatibility for user who’ve registered on the site before, so I was checking username/password using my V1 authentication (custom hashing done in Web Forms) and if they were valid, trigger an authentication through V2 (.Net Core Identity 2).
All was working well except for one thing – I could not get the confirm email part to work. So here’s what happens:
- User registers on the site
- An email is sent to the user with a link that contains his a confirmation code and the user id
- When the user clicks on the link, Identity 2 will validate the parameters and confirm the email
However this was not happening for me. I wasted almost 2 days trying out things. Some people were saying you needed to UrlEncode the confirmation code and then decode on the other side. This however was not the issue I was having. I tried lots of things and nothing was working for me.
It turns out my custom user table was using an auto-increment field for UserId while Identity 2 prefers a Guid. With the guid, you already have a unique id for the user without having to save the entry to the database. With an auto-increment field, you need to trigger a save to the database first before getting the confirmation code, otherwise the system would register the UserId as 0 but when the user clicks on the confirmation email, his UserId would be something else other than 0 and the validation will always fail.
Hopefully that helps someone else.