Unable to send 2fa code to mail & unable to obtain GET account/2fa and POST account/2fa in dotnet 8 identity endpoints.

[Amit-limbasiya]

Describe the bug

In dotnet 8 Identity endpoints there are few built in endpoints are released as per this PR.

I have added the authorization to the service as builder.Services.AddAuthorization();

If I Add endpoints by builder.Services.AddIdentityApiEndpoints<IdentityUser>().AddEntityFrameworkStores<AppDbContext>();

And when I map the endpoints as app.MapGroup("/identity").MapIdentityApi<IdentityUser>();
It is exposing these endpoints as given in the below image.

I didn't get the GET account/2fa endpoint or POST account/2fa endpoint.

Additionally, I want to ask that how can we enable the 2fa with dotnet-8 identity endpoints as like aspnetcore1.1 framework.
I want to send the OTP code to the user email and want to verify the code. What the additional thing I have to do.
The scenario is like it should work seemlessly as the aspnet framework web app.

Does the identity endpoint provides the way to do so? if Yes then how.

Expected Behavior

The api should expose the GET and POST account/2fa endpoints to send the code to user Email and verify it.

Steps To Reproduce

Just follow this documentation and just write the simple code to add authorization to the service, add identity endpoints to the service with the sql server entityframeworkstore and just map the endpoints to the route by app.MapGroup("/identity").MapIdentityApi<IdentityUser>();.

.NET Version

8.0.0

I don't know how to add the 2fa in the api. So anything to solve this issue would be great help.

[Amit-limbasiya]

In addition to this, When I try to enable the 2fa by /manage/2fa endpoint with the following json body

{
  "enable": true,
  "twoFactorCode": "string",
  "resetSharedKey": false,
  "resetRecoveryCodes": false,
  "forgetMachine": false
}

it is giving error: ** "The 2fa token provided by the request was invalid. A valid 2fa token is required to enable 2fa."**
How to enable the 2fa authentication by the request.
As well as how to ensure that I am getting token in mail.

[halter73]

Take a look at https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity-api-authorization?view=aspnetcore-8.0#use-the-post-manage2fa-endpoint to see how to use the /manage/2fa endpoint.

Even though it's POST only, it should do everything you want from a GET endpoint. Since the endpoint cannot show any shared keys or recovery codes unless they've been newly (re)generated, there is not much for a GET endpoint to show given it cannot regenerate anything for security reasons.

tl;dr: You can get the shared key by either POSTing {} to the /manage/2fa endpoint. If no shared keys or recovery codes have been generated yet, it will be generated during the POST and displayed during the response. If keys and recovery codes have already been regenerated but have been lost, you can POST { "resetSharedKey": true, "resetRecoveryCodes": true }.

Then, to enable 2fa, you have to post { enable: true, "twoFactorCode": "<code generated from sharedKey>" }.

We've moved this into .NET 10 planning because even though we don't have immediate plans to change this, we could probably make the API more usable by adding additional endpoints like /manage/2fa/reset and /manage/2fa/enable which make it more clear in the OpenAPI spec that a "twoFactorCode" is not a requirement for resetting the 2fa, but it is a requirement for enabling it.

[Amit-limbasiya]

Thanks @halter73, the confusion is cleared.👍