Customize the EmailConfirmation and 2FA token expiration in .NET 8.0

Question

Francisco A. Henríquez N 0

Is there a way to extend the 2FA and Email confirmation token expiration timespan with email in .NET 8.0?

I am using the Microsoft.AspNetCore.Identity and Microsoft.AspNetCore.Authentication classes to use the 2FA with Email.

builder.Services.AddIdentity<IdentityUser<Guid>, IdentityRole<Guid>>(options =>

{

options.SignIn.RequireConfirmedAccount = true;

options.SignIn.RequireConfirmedEmail = true;

options.Tokens.EmailConfirmationTokenProvider = "EmailConfirmationTokenProvider";

options.Tokens.AuthenticatorTokenProvider = "TwoFactorTokenProvider";

})

.AddEntityFrameworkStores<ApplicationDbContext>()

.AddDefaultTokenProviders()

.AddTokenProvider<EmailConfirmationTokenProvider<IdentityUser<Guid>>>("EmailConfirmationTokenProvider")

.AddTokenProvider<TwoFactorTokenProvider<IdentityUser<Guid>>>("TwoFactorTokenProvider");

builder.Services.Configure<EmailConfirmationTokenProviderOptions>(opt => opt.TokenLifespan = TimeSpan.FromMinutes(5));

builder.Services.Configure<TwoFactorTokenProviderOptions>(opt => opt.TokenLifespan = TimeSpan.FromSeconds(45));

Everything works great with EmailConfirmation, but TwoFactorTokenProvider expiration is not working. Help please

1 answer

Answer 1

AgaveJoe 30,126

According to the source code there is a 90 second skew to allow time for a message to be sent and received.

Perhaps that's why your 45 second expiration is "not working" as expected?

Francisco A. Henríquez N 0 Reputation points

2024-04-28T13:55:34.6+00:00

Apologies if the following question is a bit silly. Are these 90 seconds added to the 45, or are they fixed and cannot be configured? In other words, if I have 45, can we add the 45 plus 90? Or were my original 45 seconds meaningless? Because I've tried to verify it using the VerifyTwoFactorTokenAsync method, and even if I've already verified the code once, it always comes out as valid, which has me a bit confused.