When trying to regenerate OTP code with PUT action, the code
await _dataProtectorTokenProvider.ValidateAsync("resend_token", resendToken, _userManager, user) always return false. So the token is Invalid.
Can you help on this ?

Very interesting project. Thanks for sharing.
I hope you don't mind I ask a question here?

I saw there is also a put method with param resend_token.
What's the idea behind this?
thanks
paul.

Awesome work, Thank you.

If you could illustrate how to renew the JWT from refresh token.

I see that you Sample Client project is empty. Did you manage to have MVC client with this PasswordLess auth Idp ?

hi. i am using .net core 3.1 and IdentityServer 4.1.1 .
in startup configuration I can not use AddAspNetIdentity<ApplicationUser> .
what should I do for that?
because when I want to sign in with _signInManager.SignInAsync(user, true); i got an error 'sub claim is missing'

Question concering security in VerifyPhoneNumberController: Don't you think it's unsecure if you use the hash of PhoneNumber as SecurityStamp? An attacker could potentially generate its own TOTP tokens? I'm not sure but I guess SecurityStamp is pretty much the only secret part in this TOTP generation... SHA(PhoneNumber) is not secure in my eyes because it's reproductible on the client side.

This is a great project and exactly what I was looking for, I am trying to replicate the Tinder authentication process which is OTP via SMS.

I'm slightly confused around the implementation for native mobile. Reading the best practices client_secret should not be added to mobile apps as they can be accessed when decompiling source code.
I can set RequireClientSecret = false which will mean client secret does not have to be sent. Would this make the phonenumber grant type still secure?

Best practice seems to steer away from password grant on mobile (which I think PhoneNumberAuth is a version of?)
I see most of the risks migrated by:

• Short lived user passcodes
• Enabled account lockout for x failed attempts and request reset passcode so limits brute force

Wondering do you have an opinion on if this project is suitable for native mobile apps or is there any further config?