Skip to content

Add support for TimeProvider in DataProtectionTokenProvider and DataProtectionTokenProviderOptions#66586

Open
marcominerva wants to merge 2 commits into
dotnet:mainfrom
marcominerva:dataprotector-timeprovider
Open

Add support for TimeProvider in DataProtectionTokenProvider and DataProtectionTokenProviderOptions#66586
marcominerva wants to merge 2 commits into
dotnet:mainfrom
marcominerva:dataprotector-timeprovider

Conversation

@marcominerva

@marcominerva marcominerva commented May 5, 2026

Copy link
Copy Markdown
Contributor

This pull request enhances the DataProtectorTokenProvider in ASP.NET Core Identity by introducing support for TimeProvider, enabling improved testability and flexibility for time-dependent operations like token generation and validation. It also ensures that the TimeProvider can be injected via dependency injection (DI) or set directly in options, and adds a comprehensive suite of tests to verify these behaviors. This changes uses the same pattern already applied in the SecurityStampValidator class.

Key changes:

TimeProvider support and integration

  • Added a nullable TimeProvider property to DataProtectionTokenProviderOptions to allow overriding the system clock, primarily for testing scenarios.
  • Updated DataProtectorTokenProvider to use the configured TimeProvider (falling back to TimeProvider.System if not set) for all time-based operations, replacing direct usage of DateTimeOffset.UtcNow. [1] [2] [3] [4]
  • Registered a new PostConfigureDataProtectionTokenProviderOptions class to set the TimeProvider from DI if not already set, mirroring the pattern used for SecurityStampValidatorOptions. This ensures consistent configuration via DI. [1] [2] [3] [4]

Testing improvements

  • Added a new test file DataProtectorTokenProviderTest.cs with comprehensive tests covering token generation/validation, token expiry based on custom TimeProvider, and correct precedence between DI-injected and manually set TimeProvider.

Public API updates

  • Updated the public API surface to include the new TimeProvider properties and accessors for both DataProtectionTokenProviderOptions and DataProtectorTokenProvider<TUser>.

Fixes #54639

Copilot AI review requested due to automatic review settings May 5, 2026 13:12
@github-actions github-actions Bot added the area-identity Includes: Identity and providers label May 5, 2026
@dotnet-policy-service dotnet-policy-service Bot added the community-contribution Indicates that the PR has been added by a community member label May 5, 2026
@dotnet-policy-service

dotnet-policy-service Bot commented May 5, 2026

Copy link
Copy Markdown
Contributor

Thanks for your PR, @marcominerva. Someone from the team will get assigned to your PR shortly and we'll get it reviewed.

Copilot AI reviewed May 5, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds TimeProvider support to Identity's data-protection token provider so token generation/validation can use injectable time sources instead of DateTimeOffset.UtcNow, primarily to improve testability and align with existing Identity time abstractions.

Changes:

  • Added TimeProvider to DataProtectionTokenProviderOptions and exposed the resolved provider on DataProtectorTokenProvider<TUser>.
  • Updated token generation/validation to read current time from TimeProvider.
  • Added DI post-configuration and new tests for option-based and DI-based time injection.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
src/Identity/test/Identity.Test/DataProtectorTokenProviderTest.cs Adds unit tests for token generation/validation and TimeProvider injection behavior.
src/Identity/Core/src/PublicAPI.Unshipped.txt Records the new public API surface for TimeProvider.
src/Identity/Core/src/IdentityServiceCollectionExtensions.cs Registers post-configuration for DataProtectionTokenProviderOptions in the AddIdentity path.
src/Identity/Core/src/IdentityBuilderExtensions.cs Registers post-configuration for DataProtectionTokenProviderOptions in the default token-provider path.
src/Identity/Core/src/DataProtectorTokenProvider.cs Switches token timestamp generation/validation to use TimeProvider.
src/Identity/Core/src/DataProtectionTokenProviderOptions.cs Adds the new nullable TimeProvider option.

Comment thread src/Identity/Core/src/IdentityBuilderExtensions.cs
Comment thread src/Identity/Core/src/IdentityServiceCollectionExtensions.cs
Comment thread src/Identity/test/Identity.Test/DataProtectorTokenProviderTest.cs
@marcominerva marcominerva marked this pull request as draft May 5, 2026 13:20
@marcominerva marcominerva marked this pull request as ready for review May 5, 2026 13:43
@marcominerva marcominerva mentioned this pull request May 5, 2026
Open
1 task
This was referenced May 5, 2026
Open
Open
This was referenced May 10, 2026
Open
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

area-identity Includes: Identity and providers community-contribution Indicates that the PR has been added by a community member

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

DataProtectorTokenProvider does not implement TimeProvider

2 participants

@marcominerva