撤销 ASP.NET Identity 2.0 中 UserTokenProvider 生成的令牌

Question

Is there a way to revoke for example an email conformation token generated by an usermanager in ASP NET Identity 2.0?

Context
I would like to give the user the possibility to resend an confirmation email. To do this I generate a new token with: UserManager.GenerateEmailConfirmationTokenAsync(user.Id) , and send an email with the new generated token. Unfortunately when I do this the previously generated tokens are still working, is there a way to revoke them?

Example code
In the UserManager class:

manager.UserTokenProvider = new DataProtectorTokenProvider<ApplicationUser>(options.DataProtectionProvider.Create("ASP.NET Identity"));

In the AccountController:

var user = await UserManager.FindByEmailAsync("email");

// All generated tokens below will work to confirm the email. 
// I only want the last token to be valid when confirming the email address.
var token1 = await UserManager.GenerateEmailConfirmationTokenAsync(user.Id);
var token2 = await UserManager.GenerateEmailConfirmationTokenAsync(user.Id);
var token3 = await UserManager.GenerateEmailConfirmationTokenAsync(user.Id);
var token4 = await UserManager.GenerateEmailConfirmationTokenAsync(user.Id);
var token5 = await UserManager.GenerateEmailConfirmationTokenAsync(user.Id);

var result = await UserManager.ConfirmEmailAsync(user.Id, token5);

Information about the storage location of the generated token and how these tokens are generated are also welcome!

I will be grateful if you can send me this information.

Answer 1

The default UserTokenProvider generates tokens based on the users's SecurityStamp, so until that changes(like when the user's password changes), the tokens will always be the same, and remain valid. So if you want to simply invalidate old tokens, just call

manager.UpdateSecurityStampAsync();