File: UserManager.cs
Web Access
Project: src\src\Identity\Extensions.Core\src\Microsoft.Extensions.Identity.Core.csproj (Microsoft.Extensions.Identity.Core)
// Licensed to the .NET Foundation under one or more agreements.
// The .NET Foundation licenses this file to you under the MIT license.
 
using System;
using System.Collections.Generic;
using System.Diagnostics.CodeAnalysis;
using System.Linq;
using System.Runtime.InteropServices;
using System.Security.Claims;
using System.Security.Cryptography;
using System.Text;
using System.Threading;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Shared;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Identity.Core;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
 
namespace Microsoft.AspNetCore.Identity;
 
/// <summary>
/// Provides the APIs for managing user in a persistence store.
/// </summary>
/// <typeparam name="TUser">The type encapsulating a user.</typeparam>
public class UserManager<TUser> : IDisposable where TUser : class
{
    /// <summary>
    /// The data protection purpose used for the reset password related methods.
    /// </summary>
    public const string ResetPasswordTokenPurpose = "ResetPassword";
 
    /// <summary>
    /// The data protection purpose used for the change phone number methods.
    /// </summary>
    public const string ChangePhoneNumberTokenPurpose = "ChangePhoneNumber";
 
    /// <summary>
    /// The data protection purpose used for the email confirmation related methods.
    /// </summary>
    public const string ConfirmEmailTokenPurpose = "EmailConfirmation";
 
    private readonly Dictionary<string, IUserTwoFactorTokenProvider<TUser>> _tokenProviders =
        new Dictionary<string, IUserTwoFactorTokenProvider<TUser>>();
 
    private bool _disposed;
#if NETSTANDARD2_0 || NETFRAMEWORK
    private static readonly RandomNumberGenerator _rng = RandomNumberGenerator.Create();
#endif
    private readonly IServiceProvider _services;
 
    /// <summary>
    /// The cancellation token used to cancel operations.
    /// </summary>
    protected virtual CancellationToken CancellationToken => CancellationToken.None;
 
    /// <summary>
    /// Constructs a new instance of <see cref="UserManager{TUser}"/>.
    /// </summary>
    /// <param name="store">The persistence store the manager will operate over.</param>
    /// <param name="optionsAccessor">The accessor used to access the <see cref="IdentityOptions"/>.</param>
    /// <param name="passwordHasher">The password hashing implementation to use when saving passwords.</param>
    /// <param name="userValidators">A collection of <see cref="IUserValidator{TUser}"/> to validate users against.</param>
    /// <param name="passwordValidators">A collection of <see cref="IPasswordValidator{TUser}"/> to validate passwords against.</param>
    /// <param name="keyNormalizer">The <see cref="ILookupNormalizer"/> to use when generating index keys for users.</param>
    /// <param name="errors">The <see cref="IdentityErrorDescriber"/> used to provider error messages.</param>
    /// <param name="services">The <see cref="IServiceProvider"/> used to resolve services.</param>
    /// <param name="logger">The logger used to log messages, warnings and errors.</param>
    public UserManager(IUserStore<TUser> store,
        IOptions<IdentityOptions> optionsAccessor,
        IPasswordHasher<TUser> passwordHasher,
        IEnumerable<IUserValidator<TUser>> userValidators,
        IEnumerable<IPasswordValidator<TUser>> passwordValidators,
        ILookupNormalizer keyNormalizer,
        IdentityErrorDescriber errors,
        IServiceProvider services,
        ILogger<UserManager<TUser>> logger)
    {
        ArgumentNullThrowHelper.ThrowIfNull(store);
        Store = store;
        Options = optionsAccessor?.Value ?? new IdentityOptions();
        PasswordHasher = passwordHasher;
        KeyNormalizer = keyNormalizer;
        ErrorDescriber = errors;
        Logger = logger;
 
        if (userValidators != null)
        {
            foreach (var v in userValidators)
            {
                UserValidators.Add(v);
            }
        }
        if (passwordValidators != null)
        {
            foreach (var v in passwordValidators)
            {
                PasswordValidators.Add(v);
            }
        }
 
        _services = services;
        if (services != null)
        {
            foreach (var providerName in Options.Tokens.ProviderMap.Keys)
            {
                var description = Options.Tokens.ProviderMap[providerName];
 
                var provider = description.ProviderInstance as IUserTwoFactorTokenProvider<TUser>;
                if (provider == null && description.GetProviderType<IUserTwoFactorTokenProvider<TUser>>() is Type providerType)
                {
                    provider = (IUserTwoFactorTokenProvider<TUser>)services.GetRequiredService(providerType);
                }
 
                if (provider != null)
                {
                    RegisterTokenProvider(providerName, provider);
                }
            }
        }
 
        if (Options.Stores.ProtectPersonalData)
        {
            if (!(Store is IProtectedUserStore<TUser>))
            {
                throw new InvalidOperationException(Resources.StoreNotIProtectedUserStore);
            }
            if (services?.GetService<ILookupProtector>() == null)
            {
                throw new InvalidOperationException(Resources.NoPersonalDataProtector);
            }
        }
    }
 
    /// <summary>
    /// Gets or sets the persistence store the manager operates over.
    /// </summary>
    /// <value>The persistence store the manager operates over.</value>
    protected internal IUserStore<TUser> Store { get; set; }
 
    /// <summary>
    /// The <see cref="ILogger"/> used to log messages from the manager.
    /// </summary>
    /// <value>
    /// The <see cref="ILogger"/> used to log messages from the manager.
    /// </value>
    public virtual ILogger Logger { get; set; }
 
    /// <summary>
    /// The <see cref="IPasswordHasher{TUser}"/> used to hash passwords.
    /// </summary>
    public IPasswordHasher<TUser> PasswordHasher { get; set; }
 
    /// <summary>
    /// The <see cref="IUserValidator{TUser}"/> used to validate users.
    /// </summary>
    public IList<IUserValidator<TUser>> UserValidators { get; } = new List<IUserValidator<TUser>>();
 
    /// <summary>
    /// The <see cref="IPasswordValidator{TUser}"/> used to validate passwords.
    /// </summary>
    public IList<IPasswordValidator<TUser>> PasswordValidators { get; } = new List<IPasswordValidator<TUser>>();
 
    /// <summary>
    /// The <see cref="ILookupNormalizer"/> used to normalize things like user and role names.
    /// </summary>
    public ILookupNormalizer KeyNormalizer { get; set; }
 
    /// <summary>
    /// The <see cref="IdentityErrorDescriber"/> used to generate error messages.
    /// </summary>
    public IdentityErrorDescriber ErrorDescriber { get; set; }
 
    /// <summary>
    /// The <see cref="IdentityOptions"/> used to configure Identity.
    /// </summary>
    public IdentityOptions Options { get; set; }
 
    /// <summary>
    /// Gets a flag indicating whether the backing user store supports authentication tokens.
    /// </summary>
    /// <value>
    /// true if the backing user store supports authentication tokens, otherwise false.
    /// </value>
    public virtual bool SupportsUserAuthenticationTokens
    {
        get
        {
            ThrowIfDisposed();
            return Store is IUserAuthenticationTokenStore<TUser>;
        }
    }
 
    /// <summary>
    /// Gets a flag indicating whether the backing user store supports a user authenticator.
    /// </summary>
    /// <value>
    /// true if the backing user store supports a user authenticator, otherwise false.
    /// </value>
    public virtual bool SupportsUserAuthenticatorKey
    {
        get
        {
            ThrowIfDisposed();
            return Store is IUserAuthenticatorKeyStore<TUser>;
        }
    }
 
    /// <summary>
    /// Gets a flag indicating whether the backing user store supports recovery codes.
    /// </summary>
    /// <value>
    /// true if the backing user store supports a user authenticator, otherwise false.
    /// </value>
    public virtual bool SupportsUserTwoFactorRecoveryCodes
    {
        get
        {
            ThrowIfDisposed();
            return Store is IUserTwoFactorRecoveryCodeStore<TUser>;
        }
    }
 
    /// <summary>
    /// Gets a flag indicating whether the backing user store supports two factor authentication.
    /// </summary>
    /// <value>
    /// true if the backing user store supports user two factor authentication, otherwise false.
    /// </value>
    public virtual bool SupportsUserTwoFactor
    {
        get
        {
            ThrowIfDisposed();
            return Store is IUserTwoFactorStore<TUser>;
        }
    }
 
    /// <summary>
    /// Gets a flag indicating whether the backing user store supports user passwords.
    /// </summary>
    /// <value>
    /// true if the backing user store supports user passwords, otherwise false.
    /// </value>
    public virtual bool SupportsUserPassword
    {
        get
        {
            ThrowIfDisposed();
            return Store is IUserPasswordStore<TUser>;
        }
    }
 
    /// <summary>
    /// Gets a flag indicating whether the backing user store supports security stamps.
    /// </summary>
    /// <value>
    /// true if the backing user store supports user security stamps, otherwise false.
    /// </value>
    public virtual bool SupportsUserSecurityStamp
    {
        get
        {
            ThrowIfDisposed();
            return Store is IUserSecurityStampStore<TUser>;
        }
    }
 
    /// <summary>
    /// Gets a flag indicating whether the backing user store supports user roles.
    /// </summary>
    /// <value>
    /// true if the backing user store supports user roles, otherwise false.
    /// </value>
    public virtual bool SupportsUserRole
    {
        get
        {
            ThrowIfDisposed();
            return Store is IUserRoleStore<TUser>;
        }
    }
 
    /// <summary>
    /// Gets a flag indicating whether the backing user store supports external logins.
    /// </summary>
    /// <value>
    /// true if the backing user store supports external logins, otherwise false.
    /// </value>
    public virtual bool SupportsUserLogin
    {
        get
        {
            ThrowIfDisposed();
            return Store is IUserLoginStore<TUser>;
        }
    }
 
    /// <summary>
    /// Gets a flag indicating whether the backing user store supports user emails.
    /// </summary>
    /// <value>
    /// true if the backing user store supports user emails, otherwise false.
    /// </value>
    public virtual bool SupportsUserEmail
    {
        get
        {
            ThrowIfDisposed();
            return Store is IUserEmailStore<TUser>;
        }
    }
 
    /// <summary>
    /// Gets a flag indicating whether the backing user store supports user telephone numbers.
    /// </summary>
    /// <value>
    /// true if the backing user store supports user telephone numbers, otherwise false.
    /// </value>
    public virtual bool SupportsUserPhoneNumber
    {
        get
        {
            ThrowIfDisposed();
            return Store is IUserPhoneNumberStore<TUser>;
        }
    }
 
    /// <summary>
    /// Gets a flag indicating whether the backing user store supports user claims.
    /// </summary>
    /// <value>
    /// true if the backing user store supports user claims, otherwise false.
    /// </value>
    public virtual bool SupportsUserClaim
    {
        get
        {
            ThrowIfDisposed();
            return Store is IUserClaimStore<TUser>;
        }
    }
 
    /// <summary>
    /// Gets a flag indicating whether the backing user store supports user lock-outs.
    /// </summary>
    /// <value>
    /// true if the backing user store supports user lock-outs, otherwise false.
    /// </value>
    public virtual bool SupportsUserLockout
    {
        get
        {
            ThrowIfDisposed();
            return Store is IUserLockoutStore<TUser>;
        }
    }
 
    /// <summary>
    /// Gets a flag indicating whether the backing user store supports returning
    /// <see cref="IQueryable"/> collections of information.
    /// </summary>
    /// <value>
    /// true if the backing user store supports returning <see cref="IQueryable"/> collections of
    /// information, otherwise false.
    /// </value>
    public virtual bool SupportsQueryableUsers
    {
        get
        {
            ThrowIfDisposed();
            return Store is IQueryableUserStore<TUser>;
        }
    }
 
    /// <summary>
    ///     Returns an IQueryable of users if the store is an IQueryableUserStore
    /// </summary>
    public virtual IQueryable<TUser> Users
    {
        get
        {
            var queryableStore = Store as IQueryableUserStore<TUser>;
            if (queryableStore == null)
            {
                throw new NotSupportedException(Resources.StoreNotIQueryableUserStore);
            }
            return queryableStore.Users;
        }
    }
 
    /// <summary>
    /// Releases all resources used by the user manager.
    /// </summary>
    public void Dispose()
    {
        Dispose(true);
        GC.SuppressFinalize(this);
    }
 
    /// <summary>
    /// Returns the Name claim value if present otherwise returns null.
    /// </summary>
    /// <param name="principal">The <see cref="ClaimsPrincipal"/> instance.</param>
    /// <returns>The Name claim value, or null if the claim is not present.</returns>
    /// <remarks>The Name claim is identified by <see cref="ClaimsIdentity.DefaultNameClaimType"/>.</remarks>
    public virtual string? GetUserName(ClaimsPrincipal principal)
    {
        ArgumentNullThrowHelper.ThrowIfNull(principal);
        return principal.FindFirstValue(Options.ClaimsIdentity.UserNameClaimType);
    }
 
    /// <summary>
    /// Returns the User ID claim value if present otherwise returns null.
    /// </summary>
    /// <param name="principal">The <see cref="ClaimsPrincipal"/> instance.</param>
    /// <returns>The User ID claim value, or null if the claim is not present.</returns>
    /// <remarks>The User ID claim is identified by <see cref="ClaimTypes.NameIdentifier"/>.</remarks>
    public virtual string? GetUserId(ClaimsPrincipal principal)
    {
        ArgumentNullThrowHelper.ThrowIfNull(principal);
        return principal.FindFirstValue(Options.ClaimsIdentity.UserIdClaimType);
    }
 
    /// <summary>
    /// Returns the user corresponding to the IdentityOptions.ClaimsIdentity.UserIdClaimType claim in
    /// the principal or null.
    /// </summary>
    /// <param name="principal">The principal which contains the user id claim.</param>
    /// <returns>The user corresponding to the IdentityOptions.ClaimsIdentity.UserIdClaimType claim in
    /// the principal or null</returns>
    public virtual Task<TUser?> GetUserAsync(ClaimsPrincipal principal)
    {
        ArgumentNullThrowHelper.ThrowIfNull(principal);
        var id = GetUserId(principal);
        return id == null ? Task.FromResult<TUser?>(null) : FindByIdAsync(id);
    }
 
    /// <summary>
    /// Generates a value suitable for use in concurrency tracking.
    /// </summary>
    /// <param name="user">The user to generate the stamp for.</param>
    /// <returns>
    /// The <see cref="Task"/> that represents the asynchronous operation, containing the security
    /// stamp for the specified <paramref name="user"/>.
    /// </returns>
    public virtual Task<string> GenerateConcurrencyStampAsync(TUser user)
    {
        return Task.FromResult(Guid.NewGuid().ToString());
    }
 
    /// <summary>
    /// Creates the specified <paramref name="user"/> in the backing store with no password,
    /// as an asynchronous operation.
    /// </summary>
    /// <param name="user">The user to create.</param>
    /// <returns>
    /// The <see cref="Task"/> that represents the asynchronous operation, containing the <see cref="IdentityResult"/>
    /// of the operation.
    /// </returns>
    public virtual async Task<IdentityResult> CreateAsync(TUser user)
    {
        ThrowIfDisposed();
        await UpdateSecurityStampInternal(user).ConfigureAwait(false);
        var result = await ValidateUserAsync(user).ConfigureAwait(false);
        if (!result.Succeeded)
        {
            return result;
        }
        if (Options.Lockout.AllowedForNewUsers && SupportsUserLockout)
        {
            await GetUserLockoutStore().SetLockoutEnabledAsync(user, true, CancellationToken).ConfigureAwait(false);
        }
        await UpdateNormalizedUserNameAsync(user).ConfigureAwait(false);
        await UpdateNormalizedEmailAsync(user).ConfigureAwait(false);
 
        return await Store.CreateAsync(user, CancellationToken).ConfigureAwait(false);
    }
 
    /// <summary>
    /// Updates the specified <paramref name="user"/> in the backing store.
    /// </summary>
    /// <param name="user">The user to update.</param>
    /// <returns>
    /// The <see cref="Task"/> that represents the asynchronous operation, containing the <see cref="IdentityResult"/>
    /// of the operation.
    /// </returns>
    public virtual Task<IdentityResult> UpdateAsync(TUser user)
    {
        ThrowIfDisposed();
        ArgumentNullThrowHelper.ThrowIfNull(user);
 
        return UpdateUserAsync(user);
    }
 
    /// <summary>
    /// Deletes the specified <paramref name="user"/> from the backing store.
    /// </summary>
    /// <param name="user">The user to delete.</param>
    /// <returns>
    /// The <see cref="Task"/> that represents the asynchronous operation, containing the <see cref="IdentityResult"/>
    /// of the operation.
    /// </returns>
    public virtual Task<IdentityResult> DeleteAsync(TUser user)
    {
        ThrowIfDisposed();
        ArgumentNullThrowHelper.ThrowIfNull(user);
 
        return Store.DeleteAsync(user, CancellationToken);
    }
 
    /// <summary>
    /// Finds and returns a user, if any, who has the specified <paramref name="userId"/>.
    /// </summary>
    /// <param name="userId">The user ID to search for.</param>
    /// <returns>
    /// The <see cref="Task"/> that represents the asynchronous operation, containing the user matching the specified <paramref name="userId"/> if it exists.
    /// </returns>
    public virtual Task<TUser?> FindByIdAsync(string userId)
    {
        ThrowIfDisposed();
        return Store.FindByIdAsync(userId, CancellationToken);
    }
 
    /// <summary>
    /// Finds and returns a user, if any, who has the specified user name.
    /// </summary>
    /// <param name="userName">The user name to search for.</param>
    /// <returns>
    /// The <see cref="Task"/> that represents the asynchronous operation, containing the user matching the specified <paramref name="userName"/> if it exists.
    /// </returns>
    public virtual async Task<TUser?> FindByNameAsync(string userName)
    {
        ThrowIfDisposed();
        ArgumentNullThrowHelper.ThrowIfNull(userName);
        userName = NormalizeName(userName);
 
        var user = await Store.FindByNameAsync(userName, CancellationToken).ConfigureAwait(false);
 
        // Need to potentially check all keys
        if (user == null && Options.Stores.ProtectPersonalData)
        {
            var keyRing = _services.GetService<ILookupProtectorKeyRing>();
            var protector = _services.GetService<ILookupProtector>();
            if (keyRing != null && protector != null)
            {
                foreach (var key in keyRing.GetAllKeyIds())
                {
                    var oldKey = protector.Protect(key, userName);
                    user = await Store.FindByNameAsync(oldKey, CancellationToken).ConfigureAwait(false);
                    if (user != null)
                    {
                        return user;
                    }
                }
            }
        }
        return user;
    }
 
    /// <summary>
    /// Creates the specified <paramref name="user"/> in the backing store with given password,
    /// as an asynchronous operation.
    /// </summary>
    /// <param name="user">The user to create.</param>
    /// <param name="password">The password for the user to hash and store.</param>
    /// <returns>
    /// The <see cref="Task"/> that represents the asynchronous operation, containing the <see cref="IdentityResult"/>
    /// of the operation.
    /// </returns>
    public virtual async Task<IdentityResult> CreateAsync(TUser user, string password)
    {
        ThrowIfDisposed();
        var passwordStore = GetPasswordStore();
        ArgumentNullThrowHelper.ThrowIfNull(user);
        ArgumentNullThrowHelper.ThrowIfNull(password);
        var result = await UpdatePasswordHash(passwordStore, user, password).ConfigureAwait(false);
        if (!result.Succeeded)
        {
            return result;
        }
        return await CreateAsync(user).ConfigureAwait(false);
    }
 
    /// <summary>
    /// Normalize user or role name for consistent comparisons.
    /// </summary>
    /// <param name="name">The name to normalize.</param>
    /// <returns>A normalized value representing the specified <paramref name="name"/>.</returns>
    [return: NotNullIfNotNull("name")]
    public virtual string? NormalizeName(string? name)
        => (KeyNormalizer == null) ? name : KeyNormalizer.NormalizeName(name);
 
    /// <summary>
    /// Normalize email for consistent comparisons.
    /// </summary>
    /// <param name="email">The email to normalize.</param>
    /// <returns>A normalized value representing the specified <paramref name="email"/>.</returns>
    [return: NotNullIfNotNull("email")]
    public virtual string? NormalizeEmail(string? email)
        => (KeyNormalizer == null) ? email : KeyNormalizer.NormalizeEmail(email);
 
    [return: NotNullIfNotNull("data")]
    private string? ProtectPersonalData(string? data)
    {
        if (Options.Stores.ProtectPersonalData)
        {
            var keyRing = _services.GetRequiredService<ILookupProtectorKeyRing>();
            var protector = _services.GetRequiredService<ILookupProtector>();
            return protector.Protect(keyRing.CurrentKeyId, data);
        }
        return data;
    }
 
    /// <summary>
    /// Updates the normalized user name for the specified <paramref name="user"/>.
    /// </summary>
    /// <param name="user">The user whose user name should be normalized and updated.</param>
    /// <returns>The <see cref="Task"/> that represents the asynchronous operation.</returns>
    public virtual async Task UpdateNormalizedUserNameAsync(TUser user)
    {
        var normalizedName = NormalizeName(await GetUserNameAsync(user).ConfigureAwait(false));
        normalizedName = ProtectPersonalData(normalizedName);
        await Store.SetNormalizedUserNameAsync(user, normalizedName, CancellationToken).ConfigureAwait(false);
    }
 
    /// <summary>
    /// Gets the user name for the specified <paramref name="user"/>.
    /// </summary>
    /// <param name="user">The user whose name should be retrieved.</param>
    /// <returns>The <see cref="Task"/> that represents the asynchronous operation, containing the name for the specified <paramref name="user"/>.</returns>
    public virtual async Task<string?> GetUserNameAsync(TUser user)
    {
        ThrowIfDisposed();
        ArgumentNullThrowHelper.ThrowIfNull(user);
        return await Store.GetUserNameAsync(user, CancellationToken).ConfigureAwait(false);
    }
 
    /// <summary>
    /// Sets the given <paramref name="userName" /> for the specified <paramref name="user"/>.
    /// </summary>
    /// <param name="user">The user whose name should be set.</param>
    /// <param name="userName">The user name to set.</param>
    /// <returns>The <see cref="Task"/> that represents the asynchronous operation.</returns>
    public virtual async Task<IdentityResult> SetUserNameAsync(TUser user, string? userName)
    {
        ThrowIfDisposed();
        ArgumentNullThrowHelper.ThrowIfNull(user);
 
        await Store.SetUserNameAsync(user, userName, CancellationToken).ConfigureAwait(false);
        await UpdateSecurityStampInternal(user).ConfigureAwait(false);
        return await UpdateUserAsync(user).ConfigureAwait(false);
    }
 
    /// <summary>
    /// Gets the user identifier for the specified <paramref name="user"/>.
    /// </summary>
    /// <param name="user">The user whose identifier should be retrieved.</param>
    /// <returns>The <see cref="Task"/> that represents the asynchronous operation, containing the identifier for the specified <paramref name="user"/>.</returns>
    public virtual async Task<string> GetUserIdAsync(TUser user)
    {
        ThrowIfDisposed();
        return await Store.GetUserIdAsync(user, CancellationToken).ConfigureAwait(false);
    }
 
    /// <summary>
    /// Returns a flag indicating whether the given <paramref name="password"/> is valid for the
    /// specified <paramref name="user"/>.
    /// </summary>
    /// <param name="user">The user whose password should be validated.</param>
    /// <param name="password">The password to validate</param>
    /// <returns>The <see cref="Task"/> that represents the asynchronous operation, containing true if
    /// the specified <paramref name="password" /> matches the one store for the <paramref name="user"/>,
    /// otherwise false.</returns>
    public virtual async Task<bool> CheckPasswordAsync(TUser user, string password)
    {
        ThrowIfDisposed();
        var passwordStore = GetPasswordStore();
        if (user == null)
        {
            return false;
        }
 
        var result = await VerifyPasswordAsync(passwordStore, user, password).ConfigureAwait(false);
        if (result == PasswordVerificationResult.SuccessRehashNeeded)
        {
            await UpdatePasswordHash(passwordStore, user, password, validatePassword: false).ConfigureAwait(false);
            await UpdateUserAsync(user).ConfigureAwait(false);
        }
 
        var success = result != PasswordVerificationResult.Failed;
        if (!success)
        {
            Logger.LogDebug(LoggerEventIds.InvalidPassword, "Invalid password for user.");
        }
        return success;
    }
 
    /// <summary>
    /// Gets a flag indicating whether the specified <paramref name="user"/> has a password.
    /// </summary>
    /// <param name="user">The user to return a flag for, indicating whether they have a password or not.</param>
    /// <returns>
    /// The <see cref="Task"/> that represents the asynchronous operation, returning true if the specified <paramref name="user"/> has a password
    /// otherwise false.
    /// </returns>
    public virtual Task<bool> HasPasswordAsync(TUser user)
    {
        ThrowIfDisposed();
        var passwordStore = GetPasswordStore();
        ArgumentNullThrowHelper.ThrowIfNull(user);
 
        return passwordStore.HasPasswordAsync(user, CancellationToken);
    }
 
    /// <summary>
    /// Adds the <paramref name="password"/> to the specified <paramref name="user"/> only if the user
    /// does not already have a password.
    /// </summary>
    /// <param name="user">The user whose password should be set.</param>
    /// <param name="password">The password to set.</param>
    /// <returns>
    /// The <see cref="Task"/> that represents the asynchronous operation, containing the <see cref="IdentityResult"/>
    /// of the operation.
    /// </returns>
    public virtual async Task<IdentityResult> AddPasswordAsync(TUser user, string password)
    {
        ThrowIfDisposed();
        var passwordStore = GetPasswordStore();
        ArgumentNullThrowHelper.ThrowIfNull(user);
 
        var hash = await passwordStore.GetPasswordHashAsync(user, CancellationToken).ConfigureAwait(false);
        if (hash != null)
        {
            Logger.LogDebug(LoggerEventIds.UserAlreadyHasPassword, "User already has a password.");
            return IdentityResult.Failed(ErrorDescriber.UserAlreadyHasPassword());
        }
        var result = await UpdatePasswordHash(passwordStore, user, password).ConfigureAwait(false);
        if (!result.Succeeded)
        {
            return result;
        }
        return await UpdateUserAsync(user).ConfigureAwait(false);
    }
 
    /// <summary>
    /// Changes a user's password after confirming the specified <paramref name="currentPassword"/> is correct,
    /// as an asynchronous operation.
    /// </summary>
    /// <param name="user">The user whose password should be set.</param>
    /// <param name="currentPassword">The current password to validate before changing.</param>
    /// <param name="newPassword">The new password to set for the specified <paramref name="user"/>.</param>
    /// <returns>
    /// The <see cref="Task"/> that represents the asynchronous operation, containing the <see cref="IdentityResult"/>
    /// of the operation.
    /// </returns>
    public virtual async Task<IdentityResult> ChangePasswordAsync(TUser user, string currentPassword, string newPassword)
    {
        ThrowIfDisposed();
        var passwordStore = GetPasswordStore();
        ArgumentNullThrowHelper.ThrowIfNull(user);
 
        if (await VerifyPasswordAsync(passwordStore, user, currentPassword).ConfigureAwait(false) != PasswordVerificationResult.Failed)
        {
            var result = await UpdatePasswordHash(passwordStore, user, newPassword).ConfigureAwait(false);
            if (!result.Succeeded)
            {
                return result;
            }
            return await UpdateUserAsync(user).ConfigureAwait(false);
        }
        Logger.LogDebug(LoggerEventIds.ChangePasswordFailed, "Change password failed for user.");
        return IdentityResult.Failed(ErrorDescriber.PasswordMismatch());
    }
 
    /// <summary>
    /// Removes a user's password.
    /// </summary>
    /// <param name="user">The user whose password should be removed.</param>
    /// <returns>
    /// The <see cref="Task"/> that represents the asynchronous operation, containing the <see cref="IdentityResult"/>
    /// of the operation.
    /// </returns>
    public virtual async Task<IdentityResult> RemovePasswordAsync(TUser user)
    {
        ThrowIfDisposed();
        var passwordStore = GetPasswordStore();
        ArgumentNullThrowHelper.ThrowIfNull(user);
 
        await UpdatePasswordHash(passwordStore, user, null, validatePassword: false).ConfigureAwait(false);
        return await UpdateUserAsync(user).ConfigureAwait(false);
    }
 
    /// <summary>
    /// Returns a <see cref="PasswordVerificationResult"/> indicating the result of a password hash comparison.
    /// </summary>
    /// <param name="store">The store containing a user's password.</param>
    /// <param name="user">The user whose password should be verified.</param>
    /// <param name="password">The password to verify.</param>
    /// <returns>
    /// The <see cref="Task"/> that represents the asynchronous operation, containing the <see cref="PasswordVerificationResult"/>
    /// of the operation.
    /// </returns>
    protected virtual async Task<PasswordVerificationResult> VerifyPasswordAsync(IUserPasswordStore<TUser> store, TUser user, string password)
    {
        var hash = await store.GetPasswordHashAsync(user, CancellationToken).ConfigureAwait(false);
        if (hash == null)
        {
            return PasswordVerificationResult.Failed;
        }
        return PasswordHasher.VerifyHashedPassword(user, hash, password);
    }
 
    /// <summary>
    /// Get the security stamp for the specified <paramref name="user" />.
    /// </summary>
    /// <param name="user">The user whose security stamp should be set.</param>
    /// <returns>The <see cref="Task"/> that represents the asynchronous operation, containing the security stamp for the specified <paramref name="user"/>.</returns>
    public virtual async Task<string> GetSecurityStampAsync(TUser user)
    {
        ThrowIfDisposed();
        var securityStore = GetSecurityStore();
        ArgumentNullThrowHelper.ThrowIfNull(user);
        var stamp = await securityStore.GetSecurityStampAsync(user, CancellationToken).ConfigureAwait(false);
        if (stamp == null)
        {
            Logger.LogDebug(LoggerEventIds.GetSecurityStampFailed, "GetSecurityStampAsync for user failed because stamp was null.");
            throw new InvalidOperationException(Resources.NullSecurityStamp);
        }
        return stamp;
    }
 
    /// <summary>
    /// Regenerates the security stamp for the specified <paramref name="user" />.
    /// </summary>
    /// <param name="user">The user whose security stamp should be regenerated.</param>
    /// <returns>
    /// The <see cref="Task"/> that represents the asynchronous operation, containing the <see cref="IdentityResult"/>
    /// of the operation.
    /// </returns>
    /// <remarks>
    /// Regenerating a security stamp will sign out any saved login for the user.
    /// </remarks>
    public virtual async Task<IdentityResult> UpdateSecurityStampAsync(TUser user)
    {
        ThrowIfDisposed();
        GetSecurityStore();
        ArgumentNullThrowHelper.ThrowIfNull(user);
 
        await UpdateSecurityStampInternal(user).ConfigureAwait(false);
        return await UpdateUserAsync(user).ConfigureAwait(false);
    }
 
    /// <summary>
    /// Generates a password reset token for the specified <paramref name="user"/>, using
    /// the configured password reset token provider.
    /// </summary>
    /// <param name="user">The user to generate a password reset token for.</param>
    /// <returns>The <see cref="Task"/> that represents the asynchronous operation,
    /// containing a password reset token for the specified <paramref name="user"/>.</returns>
    public virtual Task<string> GeneratePasswordResetTokenAsync(TUser user)
    {
        ThrowIfDisposed();
        return GenerateUserTokenAsync(user, Options.Tokens.PasswordResetTokenProvider, ResetPasswordTokenPurpose);
    }
 
    /// <summary>
    /// Resets the <paramref name="user"/>'s password to the specified <paramref name="newPassword"/> after
    /// validating the given password reset <paramref name="token"/>.
    /// </summary>
    /// <param name="user">The user whose password should be reset.</param>
    /// <param name="token">The password reset token to verify.</param>
    /// <param name="newPassword">The new password to set if reset token verification succeeds.</param>
    /// <returns>
    /// The <see cref="Task"/> that represents the asynchronous operation, containing the <see cref="IdentityResult"/>
    /// of the operation.
    /// </returns>
    public virtual async Task<IdentityResult> ResetPasswordAsync(TUser user, string token, string newPassword)
    {
        ThrowIfDisposed();
        ArgumentNullThrowHelper.ThrowIfNull(user);
 
        // Make sure the token is valid and the stamp matches
        if (!await VerifyUserTokenAsync(user, Options.Tokens.PasswordResetTokenProvider, ResetPasswordTokenPurpose, token).ConfigureAwait(false))
        {
            return IdentityResult.Failed(ErrorDescriber.InvalidToken());
        }
        var result = await UpdatePasswordHash(user, newPassword, validatePassword: true).ConfigureAwait(false);
        if (!result.Succeeded)
        {
            return result;
        }
        return await UpdateUserAsync(user).ConfigureAwait(false);
    }
 
    /// <summary>
    /// Retrieves the user associated with the specified external login provider and login provider key.
    /// </summary>
    /// <param name="loginProvider">The login provider who provided the <paramref name="providerKey"/>.</param>
    /// <param name="providerKey">The key provided by the <paramref name="loginProvider"/> to identify a user.</param>
    /// <returns>
    /// The <see cref="Task"/> for the asynchronous operation, containing the user, if any which matched the specified login provider and key.
    /// </returns>
    public virtual Task<TUser?> FindByLoginAsync(string loginProvider, string providerKey)
    {
        ThrowIfDisposed();
        var loginStore = GetLoginStore();
        ArgumentNullThrowHelper.ThrowIfNull(loginProvider);
        ArgumentNullThrowHelper.ThrowIfNull(providerKey);
        return loginStore.FindByLoginAsync(loginProvider, providerKey, CancellationToken);
    }
 
    /// <summary>
    /// Attempts to remove the provided external login information from the specified <paramref name="user"/>.
    /// and returns a flag indicating whether the removal succeed or not.
    /// </summary>
    /// <param name="user">The user to remove the login information from.</param>
    /// <param name="loginProvider">The login provide whose information should be removed.</param>
    /// <param name="providerKey">The key given by the external login provider for the specified user.</param>
    /// <returns>
    /// The <see cref="Task"/> that represents the asynchronous operation, containing the <see cref="IdentityResult"/>
    /// of the operation.
    /// </returns>
    public virtual async Task<IdentityResult> RemoveLoginAsync(TUser user, string loginProvider, string providerKey)
    {
        ThrowIfDisposed();
        var loginStore = GetLoginStore();
        ArgumentNullThrowHelper.ThrowIfNull(loginProvider);
        ArgumentNullThrowHelper.ThrowIfNull(providerKey);
        ArgumentNullThrowHelper.ThrowIfNull(user);
 
        await loginStore.RemoveLoginAsync(user, loginProvider, providerKey, CancellationToken).ConfigureAwait(false);
        await UpdateSecurityStampInternal(user).ConfigureAwait(false);
        return await UpdateUserAsync(user).ConfigureAwait(false);
    }
 
    /// <summary>
    /// Adds an external <see cref="UserLoginInfo"/> to the specified <paramref name="user"/>.
    /// </summary>
    /// <param name="user">The user to add the login to.</param>
    /// <param name="login">The external <see cref="UserLoginInfo"/> to add to the specified <paramref name="user"/>.</param>
    /// <returns>
    /// The <see cref="Task"/> that represents the asynchronous operation, containing the <see cref="IdentityResult"/>
    /// of the operation.
    /// </returns>
    public virtual async Task<IdentityResult> AddLoginAsync(TUser user, UserLoginInfo login)
    {
        ThrowIfDisposed();
        var loginStore = GetLoginStore();
        ArgumentNullThrowHelper.ThrowIfNull(login);
        ArgumentNullThrowHelper.ThrowIfNull(user);
 
        var existingUser = await FindByLoginAsync(login.LoginProvider, login.ProviderKey).ConfigureAwait(false);
        if (existingUser != null)
        {
            Logger.LogDebug(LoggerEventIds.AddLoginFailed, "AddLogin for user failed because it was already associated with another user.");
            return IdentityResult.Failed(ErrorDescriber.LoginAlreadyAssociated());
        }
        await loginStore.AddLoginAsync(user, login, CancellationToken).ConfigureAwait(false);
        return await UpdateUserAsync(user).ConfigureAwait(false);
    }
 
    /// <summary>
    /// Retrieves the associated logins for the specified <param ref="user"/>.
    /// </summary>
    /// <param name="user">The user whose associated logins to retrieve.</param>
    /// <returns>
    /// The <see cref="Task"/> for the asynchronous operation, containing a list of <see cref="UserLoginInfo"/> for the specified <paramref name="user"/>, if any.
    /// </returns>
    public virtual async Task<IList<UserLoginInfo>> GetLoginsAsync(TUser user)
    {
        ThrowIfDisposed();
        var loginStore = GetLoginStore();
        ArgumentNullThrowHelper.ThrowIfNull(user);
        return await loginStore.GetLoginsAsync(user, CancellationToken).ConfigureAwait(false);
    }
 
    /// <summary>
    /// Adds the specified <paramref name="claim"/> to the <paramref name="user"/>.
    /// </summary>
    /// <param name="user">The user to add the claim to.</param>
    /// <param name="claim">The claim to add.</param>
    /// <returns>
    /// The <see cref="Task"/> that represents the asynchronous operation, containing the <see cref="IdentityResult"/>
    /// of the operation.
    /// </returns>
    public virtual Task<IdentityResult> AddClaimAsync(TUser user, Claim claim)
    {
        ThrowIfDisposed();
        GetClaimStore();
        ArgumentNullThrowHelper.ThrowIfNull(claim);
        ArgumentNullThrowHelper.ThrowIfNull(user);
        return AddClaimsAsync(user, new Claim[] { claim });
    }
 
    /// <summary>
    /// Adds the specified <paramref name="claims"/> to the <paramref name="user"/>.
    /// </summary>
    /// <param name="user">The user to add the claim to.</param>
    /// <param name="claims">The claims to add.</param>
    /// <returns>
    /// The <see cref="Task"/> that represents the asynchronous operation, containing the <see cref="IdentityResult"/>
    /// of the operation.
    /// </returns>
    public virtual async Task<IdentityResult> AddClaimsAsync(TUser user, IEnumerable<Claim> claims)
    {
        ThrowIfDisposed();
        var claimStore = GetClaimStore();
        ArgumentNullThrowHelper.ThrowIfNull(claims);
        ArgumentNullThrowHelper.ThrowIfNull(user);
 
        await claimStore.AddClaimsAsync(user, claims, CancellationToken).ConfigureAwait(false);
        return await UpdateUserAsync(user).ConfigureAwait(false);
    }
 
    /// <summary>
    /// Replaces the given <paramref name="claim"/> on the specified <paramref name="user"/> with the <paramref name="newClaim"/>
    /// </summary>
    /// <param name="user">The user to replace the claim on.</param>
    /// <param name="claim">The claim to replace.</param>
    /// <param name="newClaim">The new claim to replace the existing <paramref name="claim"/> with.</param>
    /// <returns>
    /// The <see cref="Task"/> that represents the asynchronous operation, containing the <see cref="IdentityResult"/>
    /// of the operation.
    /// </returns>
    public virtual async Task<IdentityResult> ReplaceClaimAsync(TUser user, Claim claim, Claim newClaim)
    {
        ThrowIfDisposed();
        var claimStore = GetClaimStore();
        ArgumentNullThrowHelper.ThrowIfNull(claim);
        ArgumentNullThrowHelper.ThrowIfNull(newClaim);
        ArgumentNullThrowHelper.ThrowIfNull(user);
 
        await claimStore.ReplaceClaimAsync(user, claim, newClaim, CancellationToken).ConfigureAwait(false);
        return await UpdateUserAsync(user).ConfigureAwait(false);
    }
 
    /// <summary>
    /// Removes the specified <paramref name="claim"/> from the given <paramref name="user"/>.
    /// </summary>
    /// <param name="user">The user to remove the specified <paramref name="claim"/> from.</param>
    /// <param name="claim">The <see cref="Claim"/> to remove.</param>
    /// <returns>
    /// The <see cref="Task"/> that represents the asynchronous operation, containing the <see cref="IdentityResult"/>
    /// of the operation.
    /// </returns>
    public virtual Task<IdentityResult> RemoveClaimAsync(TUser user, Claim claim)
    {
        ThrowIfDisposed();
        GetClaimStore();
        ArgumentNullThrowHelper.ThrowIfNull(user);
        ArgumentNullThrowHelper.ThrowIfNull(claim);
        return RemoveClaimsAsync(user, new Claim[] { claim });
    }
 
    /// <summary>
    /// Removes the specified <paramref name="claims"/> from the given <paramref name="user"/>.
    /// </summary>
    /// <param name="user">The user to remove the specified <paramref name="claims"/> from.</param>
    /// <param name="claims">A collection of <see cref="Claim"/>s to remove.</param>
    /// <returns>
    /// The <see cref="Task"/> that represents the asynchronous operation, containing the <see cref="IdentityResult"/>
    /// of the operation.
    /// </returns>
    public virtual async Task<IdentityResult> RemoveClaimsAsync(TUser user, IEnumerable<Claim> claims)
    {
        ThrowIfDisposed();
        var claimStore = GetClaimStore();
        ArgumentNullThrowHelper.ThrowIfNull(user);
        ArgumentNullThrowHelper.ThrowIfNull(claims);
 
        await claimStore.RemoveClaimsAsync(user, claims, CancellationToken).ConfigureAwait(false);
        return await UpdateUserAsync(user).ConfigureAwait(false);
    }
 
    /// <summary>
    /// Gets a list of <see cref="Claim"/>s to be belonging to the specified <paramref name="user"/> as an asynchronous operation.
    /// </summary>
    /// <param name="user">The user whose claims to retrieve.</param>
    /// <returns>
    /// A <see cref="Task{TResult}"/> that represents the result of the asynchronous query, a list of <see cref="Claim"/>s.
    /// </returns>
    public virtual async Task<IList<Claim>> GetClaimsAsync(TUser user)
    {
        ThrowIfDisposed();
        var claimStore = GetClaimStore();
        ArgumentNullThrowHelper.ThrowIfNull(user);
        return await claimStore.GetClaimsAsync(user, CancellationToken).ConfigureAwait(false);
    }
 
    /// <summary>
    /// Add the specified <paramref name="user"/> to the named role.
    /// </summary>
    /// <param name="user">The user to add to the named role.</param>
    /// <param name="role">The name of the role to add the user to.</param>
    /// <returns>
    /// The <see cref="Task"/> that represents the asynchronous operation, containing the <see cref="IdentityResult"/>
    /// of the operation.
    /// </returns>
    public virtual async Task<IdentityResult> AddToRoleAsync(TUser user, string role)
    {
        ThrowIfDisposed();
        var userRoleStore = GetUserRoleStore();
        ArgumentNullThrowHelper.ThrowIfNull(user);
 
        var normalizedRole = NormalizeName(role);
        if (await userRoleStore.IsInRoleAsync(user, normalizedRole, CancellationToken).ConfigureAwait(false))
        {
            return UserAlreadyInRoleError(role);
        }
        await userRoleStore.AddToRoleAsync(user, normalizedRole, CancellationToken).ConfigureAwait(false);
        return await UpdateUserAsync(user).ConfigureAwait(false);
    }
 
    /// <summary>
    /// Add the specified <paramref name="user"/> to the named roles.
    /// </summary>
    /// <param name="user">The user to add to the named roles.</param>
    /// <param name="roles">The name of the roles to add the user to.</param>
    /// <returns>
    /// The <see cref="Task"/> that represents the asynchronous operation, containing the <see cref="IdentityResult"/>
    /// of the operation.
    /// </returns>
    public virtual async Task<IdentityResult> AddToRolesAsync(TUser user, IEnumerable<string> roles)
    {
        ThrowIfDisposed();
        var userRoleStore = GetUserRoleStore();
        ArgumentNullThrowHelper.ThrowIfNull(user);
        ArgumentNullThrowHelper.ThrowIfNull(roles);
 
        foreach (var role in roles.Distinct())
        {
            var normalizedRole = NormalizeName(role);
            if (await userRoleStore.IsInRoleAsync(user, normalizedRole, CancellationToken).ConfigureAwait(false))
            {
                return UserAlreadyInRoleError(role);
            }
            await userRoleStore.AddToRoleAsync(user, normalizedRole, CancellationToken).ConfigureAwait(false);
        }
        return await UpdateUserAsync(user).ConfigureAwait(false);
    }
 
    /// <summary>
    /// Removes the specified <paramref name="user"/> from the named role.
    /// </summary>
    /// <param name="user">The user to remove from the named role.</param>
    /// <param name="role">The name of the role to remove the user from.</param>
    /// <returns>
    /// The <see cref="Task"/> that represents the asynchronous operation, containing the <see cref="IdentityResult"/>
    /// of the operation.
    /// </returns>
    public virtual async Task<IdentityResult> RemoveFromRoleAsync(TUser user, string role)
    {
        ThrowIfDisposed();
        var userRoleStore = GetUserRoleStore();
        ArgumentNullThrowHelper.ThrowIfNull(user);
 
        var normalizedRole = NormalizeName(role);
        if (!await userRoleStore.IsInRoleAsync(user, normalizedRole, CancellationToken).ConfigureAwait(false))
        {
            return UserNotInRoleError(role);
        }
        await userRoleStore.RemoveFromRoleAsync(user, normalizedRole, CancellationToken).ConfigureAwait(false);
        return await UpdateUserAsync(user).ConfigureAwait(false);
    }
 
    private IdentityResult UserAlreadyInRoleError(string role)
    {
        if (Logger.IsEnabled(LogLevel.Debug))
        {
            Logger.LogDebug(LoggerEventIds.UserAlreadyInRole, "User is already in role {role}.", role);
        }
        return IdentityResult.Failed(ErrorDescriber.UserAlreadyInRole(role));
    }
 
    private IdentityResult UserNotInRoleError(string role)
    {
        if (Logger.IsEnabled(LogLevel.Debug))
        {
            Logger.LogDebug(LoggerEventIds.UserNotInRole, "User is not in role {role}.", role);
        }
        return IdentityResult.Failed(ErrorDescriber.UserNotInRole(role));
    }
 
    /// <summary>
    /// Removes the specified <paramref name="user"/> from the named roles.
    /// </summary>
    /// <param name="user">The user to remove from the named roles.</param>
    /// <param name="roles">The name of the roles to remove the user from.</param>
    /// <returns>
    /// The <see cref="Task"/> that represents the asynchronous operation, containing the <see cref="IdentityResult"/>
    /// of the operation.
    /// </returns>
    public virtual async Task<IdentityResult> RemoveFromRolesAsync(TUser user, IEnumerable<string> roles)
    {
        ThrowIfDisposed();
        var userRoleStore = GetUserRoleStore();
        ArgumentNullThrowHelper.ThrowIfNull(user);
        ArgumentNullThrowHelper.ThrowIfNull(roles);
 
        foreach (var role in roles)
        {
            var normalizedRole = NormalizeName(role);
            if (!await userRoleStore.IsInRoleAsync(user, normalizedRole, CancellationToken).ConfigureAwait(false))
            {
                return UserNotInRoleError(role);
            }
            await userRoleStore.RemoveFromRoleAsync(user, normalizedRole, CancellationToken).ConfigureAwait(false);
        }
        return await UpdateUserAsync(user).ConfigureAwait(false);
    }
 
    /// <summary>
    /// Gets a list of role names the specified <paramref name="user"/> belongs to.
    /// </summary>
    /// <param name="user">The user whose role names to retrieve.</param>
    /// <returns>The <see cref="Task"/> that represents the asynchronous operation, containing a list of role names.</returns>
    public virtual async Task<IList<string>> GetRolesAsync(TUser user)
    {
        ThrowIfDisposed();
        var userRoleStore = GetUserRoleStore();
        ArgumentNullThrowHelper.ThrowIfNull(user);
        return await userRoleStore.GetRolesAsync(user, CancellationToken).ConfigureAwait(false);
    }
 
    /// <summary>
    /// Returns a flag indicating whether the specified <paramref name="user"/> is a member of the given named role.
    /// </summary>
    /// <param name="user">The user whose role membership should be checked.</param>
    /// <param name="role">The name of the role to be checked.</param>
    /// <returns>
    /// The <see cref="Task"/> that represents the asynchronous operation, containing a flag indicating whether the specified <paramref name="user"/> is
    /// a member of the named role.
    /// </returns>
    public virtual async Task<bool> IsInRoleAsync(TUser user, string role)
    {
        ThrowIfDisposed();
        var userRoleStore = GetUserRoleStore();
        ArgumentNullThrowHelper.ThrowIfNull(user);
        return await userRoleStore.IsInRoleAsync(user, NormalizeName(role), CancellationToken).ConfigureAwait(false);
    }
 
    /// <summary>
    /// Gets the email address for the specified <paramref name="user"/>.
    /// </summary>
    /// <param name="user">The user whose email should be returned.</param>
    /// <returns>The task object containing the results of the asynchronous operation, the email address for the specified <paramref name="user"/>.</returns>
    public virtual async Task<string?> GetEmailAsync(TUser user)
    {
        ThrowIfDisposed();
        var store = GetEmailStore();
        ArgumentNullThrowHelper.ThrowIfNull(user);
        return await store.GetEmailAsync(user, CancellationToken).ConfigureAwait(false);
    }
 
    /// <summary>
    /// Sets the <paramref name="email"/> address for a <paramref name="user"/>.
    /// </summary>
    /// <param name="user">The user whose email should be set.</param>
    /// <param name="email">The email to set.</param>
    /// <returns>
    /// The <see cref="Task"/> that represents the asynchronous operation, containing the <see cref="IdentityResult"/>
    /// of the operation.
    /// </returns>
    public virtual async Task<IdentityResult> SetEmailAsync(TUser user, string? email)
    {
        ThrowIfDisposed();
        var store = GetEmailStore();
        ArgumentNullThrowHelper.ThrowIfNull(user);
 
        await store.SetEmailAsync(user, email, CancellationToken).ConfigureAwait(false);
        await store.SetEmailConfirmedAsync(user, false, CancellationToken).ConfigureAwait(false);
        await UpdateSecurityStampInternal(user).ConfigureAwait(false);
        return await UpdateUserAsync(user).ConfigureAwait(false);
    }
 
    /// <summary>
    /// Gets the user, if any, associated with the normalized value of the specified email address.
    /// Note: Its recommended that identityOptions.User.RequireUniqueEmail be set to true when using this method, otherwise
    /// the store may throw if there are users with duplicate emails.
    /// </summary>
    /// <param name="email">The email address to return the user for.</param>
    /// <returns>
    /// The task object containing the results of the asynchronous lookup operation, the user, if any, associated with a normalized value of the specified email address.
    /// </returns>
    public virtual async Task<TUser?> FindByEmailAsync(string email)
    {
        ThrowIfDisposed();
        var store = GetEmailStore();
        ArgumentNullThrowHelper.ThrowIfNull(email);
 
        email = NormalizeEmail(email);
        var user = await store.FindByEmailAsync(email, CancellationToken).ConfigureAwait(false);
 
        // Need to potentially check all keys
        if (user == null && Options.Stores.ProtectPersonalData)
        {
            var keyRing = _services.GetService<ILookupProtectorKeyRing>();
            var protector = _services.GetService<ILookupProtector>();
            if (keyRing != null && protector != null)
            {
                foreach (var key in keyRing.GetAllKeyIds())
                {
                    var oldKey = protector.Protect(key, email);
                    user = await store.FindByEmailAsync(oldKey, CancellationToken).ConfigureAwait(false);
                    if (user != null)
                    {
                        return user;
                    }
                }
            }
        }
        return user;
    }
 
    /// <summary>
    /// Updates the normalized email for the specified <paramref name="user"/>.
    /// </summary>
    /// <param name="user">The user whose email address should be normalized and updated.</param>
    /// <returns>The task object representing the asynchronous operation.</returns>
    public virtual async Task UpdateNormalizedEmailAsync(TUser user)
    {
        var store = GetOptionalEmailStore();
        if (store != null)
        {
            var email = await GetEmailAsync(user).ConfigureAwait(false);
            await store.SetNormalizedEmailAsync(user, ProtectPersonalData(NormalizeEmail(email)!), CancellationToken).ConfigureAwait(false);
        }
    }
 
    /// <summary>
    /// Generates an email confirmation token for the specified user.
    /// </summary>
    /// <param name="user">The user to generate an email confirmation token for.</param>
    /// <returns>
    /// The <see cref="Task"/> that represents the asynchronous operation, an email confirmation token.
    /// </returns>
    public virtual Task<string> GenerateEmailConfirmationTokenAsync(TUser user)
    {
        ThrowIfDisposed();
        return GenerateUserTokenAsync(user, Options.Tokens.EmailConfirmationTokenProvider, ConfirmEmailTokenPurpose);
    }
 
    /// <summary>
    /// Validates that an email confirmation token matches the specified <paramref name="user"/>.
    /// </summary>
    /// <param name="user">The user to validate the token against.</param>
    /// <param name="token">The email confirmation token to validate.</param>
    /// <returns>
    /// The <see cref="Task"/> that represents the asynchronous operation, containing the <see cref="IdentityResult"/>
    /// of the operation.
    /// </returns>
    public virtual async Task<IdentityResult> ConfirmEmailAsync(TUser user, string token)
    {
        ThrowIfDisposed();
        var store = GetEmailStore();
        ArgumentNullThrowHelper.ThrowIfNull(user);
 
        if (!await VerifyUserTokenAsync(user, Options.Tokens.EmailConfirmationTokenProvider, ConfirmEmailTokenPurpose, token).ConfigureAwait(false))
        {
            return IdentityResult.Failed(ErrorDescriber.InvalidToken());
        }
        await store.SetEmailConfirmedAsync(user, true, CancellationToken).ConfigureAwait(false);
        return await UpdateUserAsync(user).ConfigureAwait(false);
    }
 
    /// <summary>
    /// Gets a flag indicating whether the email address for the specified <paramref name="user"/> has been verified, true if the email address is verified otherwise
    /// false.
    /// </summary>
    /// <param name="user">The user whose email confirmation status should be returned.</param>
    /// <returns>
    /// The task object containing the results of the asynchronous operation, a flag indicating whether the email address for the specified <paramref name="user"/>
    /// has been confirmed or not.
    /// </returns>
    public virtual async Task<bool> IsEmailConfirmedAsync(TUser user)
    {
        ThrowIfDisposed();
        var store = GetEmailStore();
        ArgumentNullThrowHelper.ThrowIfNull(user);
        return await store.GetEmailConfirmedAsync(user, CancellationToken).ConfigureAwait(false);
    }
 
    /// <summary>
    /// Generates an email change token for the specified user.
    /// </summary>
    /// <param name="user">The user to generate an email change token for.</param>
    /// <param name="newEmail">The new email address.</param>
    /// <returns>
    /// The <see cref="Task"/> that represents the asynchronous operation, an email change token.
    /// </returns>
    public virtual Task<string> GenerateChangeEmailTokenAsync(TUser user, string newEmail)
    {
        ThrowIfDisposed();
        return GenerateUserTokenAsync(user, Options.Tokens.ChangeEmailTokenProvider, GetChangeEmailTokenPurpose(newEmail));
    }
 
    /// <summary>
    /// Updates a users emails if the specified email change <paramref name="token"/> is valid for the user.
    /// </summary>
    /// <param name="user">The user whose email should be updated.</param>
    /// <param name="newEmail">The new email address.</param>
    /// <param name="token">The change email token to be verified.</param>
    /// <returns>
    /// The <see cref="Task"/> that represents the asynchronous operation, containing the <see cref="IdentityResult"/>
    /// of the operation.
    /// </returns>
    public virtual async Task<IdentityResult> ChangeEmailAsync(TUser user, string newEmail, string token)
    {
        ThrowIfDisposed();
        ArgumentNullThrowHelper.ThrowIfNull(user);
 
        // Make sure the token is valid and the stamp matches
        if (!await VerifyUserTokenAsync(user, Options.Tokens.ChangeEmailTokenProvider, GetChangeEmailTokenPurpose(newEmail), token).ConfigureAwait(false))
        {
            return IdentityResult.Failed(ErrorDescriber.InvalidToken());
        }
        var store = GetEmailStore();
        await store.SetEmailAsync(user, newEmail, CancellationToken).ConfigureAwait(false);
        await store.SetEmailConfirmedAsync(user, true, CancellationToken).ConfigureAwait(false);
        await UpdateSecurityStampInternal(user).ConfigureAwait(false);
        return await UpdateUserAsync(user).ConfigureAwait(false);
    }
 
    /// <summary>
    /// Gets the telephone number, if any, for the specified <paramref name="user"/>.
    /// </summary>
    /// <param name="user">The user whose telephone number should be retrieved.</param>
    /// <returns>The <see cref="Task"/> that represents the asynchronous operation, containing the user's telephone number, if any.</returns>
    public virtual async Task<string?> GetPhoneNumberAsync(TUser user)
    {
        ThrowIfDisposed();
        var store = GetPhoneNumberStore();
        ArgumentNullThrowHelper.ThrowIfNull(user);
        return await store.GetPhoneNumberAsync(user, CancellationToken).ConfigureAwait(false);
    }
 
    /// <summary>
    /// Sets the phone number for the specified <paramref name="user"/>.
    /// </summary>
    /// <param name="user">The user whose phone number to set.</param>
    /// <param name="phoneNumber">The phone number to set.</param>
    /// <returns>
    /// The <see cref="Task"/> that represents the asynchronous operation, containing the <see cref="IdentityResult"/>
    /// of the operation.
    /// </returns>
    public virtual async Task<IdentityResult> SetPhoneNumberAsync(TUser user, string? phoneNumber)
    {
        ThrowIfDisposed();
        var store = GetPhoneNumberStore();
        ArgumentNullThrowHelper.ThrowIfNull(user);
 
        await store.SetPhoneNumberAsync(user, phoneNumber, CancellationToken).ConfigureAwait(false);
        await store.SetPhoneNumberConfirmedAsync(user, false, CancellationToken).ConfigureAwait(false);
        await UpdateSecurityStampInternal(user).ConfigureAwait(false);
        return await UpdateUserAsync(user).ConfigureAwait(false);
    }
 
    /// <summary>
    /// Sets the phone number for the specified <paramref name="user"/> if the specified
    /// change <paramref name="token"/> is valid.
    /// </summary>
    /// <param name="user">The user whose phone number to set.</param>
    /// <param name="phoneNumber">The phone number to set.</param>
    /// <param name="token">The phone number confirmation token to validate.</param>
    /// <returns>
    /// The <see cref="Task"/> that represents the asynchronous operation, containing the <see cref="IdentityResult"/>
    /// of the operation.
    /// </returns>
    public virtual async Task<IdentityResult> ChangePhoneNumberAsync(TUser user, string phoneNumber, string token)
    {
        ThrowIfDisposed();
        var store = GetPhoneNumberStore();
        ArgumentNullThrowHelper.ThrowIfNull(user);
 
        if (!await VerifyChangePhoneNumberTokenAsync(user, token, phoneNumber).ConfigureAwait(false))
        {
            Logger.LogDebug(LoggerEventIds.PhoneNumberChanged, "Change phone number for user failed with invalid token.");
            return IdentityResult.Failed(ErrorDescriber.InvalidToken());
        }
        await store.SetPhoneNumberAsync(user, phoneNumber, CancellationToken).ConfigureAwait(false);
        await store.SetPhoneNumberConfirmedAsync(user, true, CancellationToken).ConfigureAwait(false);
        await UpdateSecurityStampInternal(user).ConfigureAwait(false);
        return await UpdateUserAsync(user).ConfigureAwait(false);
    }
 
    /// <summary>
    /// Gets a flag indicating whether the specified <paramref name="user"/>'s telephone number has been confirmed.
    /// </summary>
    /// <param name="user">The user to return a flag for, indicating whether their telephone number is confirmed.</param>
    /// <returns>
    /// The <see cref="Task"/> that represents the asynchronous operation, returning true if the specified <paramref name="user"/> has a confirmed
    /// telephone number otherwise false.
    /// </returns>
    public virtual Task<bool> IsPhoneNumberConfirmedAsync(TUser user)
    {
        ThrowIfDisposed();
        var store = GetPhoneNumberStore();
        ArgumentNullThrowHelper.ThrowIfNull(user);
        return store.GetPhoneNumberConfirmedAsync(user, CancellationToken);
    }
 
    /// <summary>
    /// Generates a telephone number change token for the specified user.
    /// </summary>
    /// <param name="user">The user to generate a telephone number token for.</param>
    /// <param name="phoneNumber">The new phone number the validation token should be sent to.</param>
    /// <returns>
    /// The <see cref="Task"/> that represents the asynchronous operation, containing the telephone change number token.
    /// </returns>
    public virtual Task<string> GenerateChangePhoneNumberTokenAsync(TUser user, string phoneNumber)
    {
        ThrowIfDisposed();
        return GenerateUserTokenAsync(user, Options.Tokens.ChangePhoneNumberTokenProvider, ChangePhoneNumberTokenPurpose + ":" + phoneNumber);
    }
 
    /// <summary>
    /// Returns a flag indicating whether the specified <paramref name="user"/>'s phone number change verification
    /// token is valid for the given <paramref name="phoneNumber"/>.
    /// </summary>
    /// <param name="user">The user to validate the token against.</param>
    /// <param name="token">The telephone number change token to validate.</param>
    /// <param name="phoneNumber">The telephone number the token was generated for.</param>
    /// <returns>
    /// The <see cref="Task"/> that represents the asynchronous operation, returning true if the <paramref name="token"/>
    /// is valid, otherwise false.
    /// </returns>
    public virtual Task<bool> VerifyChangePhoneNumberTokenAsync(TUser user, string token, string phoneNumber)
    {
        ThrowIfDisposed();
        ArgumentNullThrowHelper.ThrowIfNull(user);
 
        // Make sure the token is valid and the stamp matches
        return VerifyUserTokenAsync(user, Options.Tokens.ChangePhoneNumberTokenProvider, ChangePhoneNumberTokenPurpose + ":" + phoneNumber, token);
    }
 
    /// <summary>
    /// Returns a flag indicating whether the specified <paramref name="token"/> is valid for
    /// the given <paramref name="user"/> and <paramref name="purpose"/>.
    /// </summary>
    /// <param name="user">The user to validate the token against.</param>
    /// <param name="tokenProvider">The token provider used to generate the token.</param>
    /// <param name="purpose">The purpose the token should be generated for.</param>
    /// <param name="token">The token to validate</param>
    /// <returns>
    /// The <see cref="Task"/> that represents the asynchronous operation, returning true if the <paramref name="token"/>
    /// is valid, otherwise false.
    /// </returns>
    public virtual async Task<bool> VerifyUserTokenAsync(TUser user, string tokenProvider, string purpose, string token)
    {
        ThrowIfDisposed();
        ArgumentNullThrowHelper.ThrowIfNull(user);
        ArgumentNullThrowHelper.ThrowIfNull(tokenProvider);
 
        if (!_tokenProviders.TryGetValue(tokenProvider, out var provider))
        {
            throw new NotSupportedException(Resources.FormatNoTokenProvider(nameof(TUser), tokenProvider));
        }
        // Make sure the token is valid
        var result = await provider.ValidateAsync(purpose, token, this, user).ConfigureAwait(false);
 
        if (!result && Logger.IsEnabled(LogLevel.Debug))
        {
            Logger.LogDebug(LoggerEventIds.VerifyUserTokenFailed, "VerifyUserTokenAsync() failed with purpose: {purpose} for user.", purpose);
        }
        return result;
    }
 
    /// <summary>
    /// Generates a token for the given <paramref name="user"/> and <paramref name="purpose"/>.
    /// </summary>
    /// <param name="purpose">The purpose the token will be for.</param>
    /// <param name="user">The user the token will be for.</param>
    /// <param name="tokenProvider">The provider which will generate the token.</param>
    /// <returns>
    /// The <see cref="Task"/> that represents result of the asynchronous operation, a token for
    /// the given user and purpose.
    /// </returns>
    public virtual Task<string> GenerateUserTokenAsync(TUser user, string tokenProvider, string purpose)
    {
        ThrowIfDisposed();
        ArgumentNullThrowHelper.ThrowIfNull(user);
        ArgumentNullThrowHelper.ThrowIfNull(tokenProvider);
 
        if (!_tokenProviders.TryGetValue(tokenProvider, out var provider))
        {
            throw new NotSupportedException(Resources.FormatNoTokenProvider(nameof(TUser), tokenProvider));
        }
 
        return provider.GenerateAsync(purpose, this, user);
    }
 
    /// <summary>
    /// Registers a token provider.
    /// </summary>
    /// <param name="providerName">The name of the provider to register.</param>
    /// <param name="provider">The provider to register.</param>
    public virtual void RegisterTokenProvider(string providerName, IUserTwoFactorTokenProvider<TUser> provider)
    {
        ThrowIfDisposed();
        ArgumentNullThrowHelper.ThrowIfNull(provider);
        _tokenProviders[providerName] = provider;
    }
 
    /// <summary>
    /// Gets a list of valid two factor token providers for the specified <paramref name="user"/>,
    /// as an asynchronous operation.
    /// </summary>
    /// <param name="user">The user the whose two factor authentication providers will be returned.</param>
    /// <returns>
    /// The <see cref="Task"/> that represents result of the asynchronous operation, a list of two
    /// factor authentication providers for the specified user.
    /// </returns>
    public virtual async Task<IList<string>> GetValidTwoFactorProvidersAsync(TUser user)
    {
        ThrowIfDisposed();
        ArgumentNullThrowHelper.ThrowIfNull(user);
        var results = new List<string>();
        foreach (var f in _tokenProviders)
        {
            if (await f.Value.CanGenerateTwoFactorTokenAsync(this, user).ConfigureAwait(false))
            {
                results.Add(f.Key);
            }
        }
        return results;
    }
 
    /// <summary>
    /// Verifies the specified two factor authentication <paramref name="token" /> against the <paramref name="user"/>.
    /// </summary>
    /// <param name="user">The user the token is supposed to be for.</param>
    /// <param name="tokenProvider">The provider which will verify the token.</param>
    /// <param name="token">The token to verify.</param>
    /// <returns>
    /// The <see cref="Task"/> that represents result of the asynchronous operation, true if the token is valid,
    /// otherwise false.
    /// </returns>
    public virtual async Task<bool> VerifyTwoFactorTokenAsync(TUser user, string tokenProvider, string token)
    {
        ThrowIfDisposed();
        ArgumentNullThrowHelper.ThrowIfNull(user);
        if (!_tokenProviders.TryGetValue(tokenProvider, out var provider))
        {
            throw new NotSupportedException(Resources.FormatNoTokenProvider(nameof(TUser), tokenProvider));
        }
 
        // Make sure the token is valid
        var result = await provider.ValidateAsync("TwoFactor", token, this, user).ConfigureAwait(false);
        if (!result)
        {
            Logger.LogDebug(LoggerEventIds.VerifyTwoFactorTokenFailed, $"{nameof(VerifyTwoFactorTokenAsync)}() failed for user.");
        }
        return result;
    }
 
    /// <summary>
    /// Gets a two factor authentication token for the specified <paramref name="user"/>.
    /// </summary>
    /// <param name="user">The user the token is for.</param>
    /// <param name="tokenProvider">The provider which will generate the token.</param>
    /// <returns>
    /// The <see cref="Task"/> that represents result of the asynchronous operation, a two factor authentication token
    /// for the user.
    /// </returns>
    public virtual Task<string> GenerateTwoFactorTokenAsync(TUser user, string tokenProvider)
    {
        ThrowIfDisposed();
        ArgumentNullThrowHelper.ThrowIfNull(user);
        if (!_tokenProviders.TryGetValue(tokenProvider, out var provider))
        {
            throw new NotSupportedException(Resources.FormatNoTokenProvider(nameof(TUser), tokenProvider));
        }
 
        return provider.GenerateAsync("TwoFactor", this, user);
    }
 
    /// <summary>
    /// Returns a flag indicating whether the specified <paramref name="user"/> has two factor authentication enabled or not,
    /// as an asynchronous operation.
    /// </summary>
    /// <param name="user">The user whose two factor authentication enabled status should be retrieved.</param>
    /// <returns>
    /// The <see cref="Task"/> that represents the asynchronous operation, true if the specified <paramref name="user "/>
    /// has two factor authentication enabled, otherwise false.
    /// </returns>
    public virtual async Task<bool> GetTwoFactorEnabledAsync(TUser user)
    {
        ThrowIfDisposed();
        var store = GetUserTwoFactorStore();
        ArgumentNullThrowHelper.ThrowIfNull(user);
        return await store.GetTwoFactorEnabledAsync(user, CancellationToken).ConfigureAwait(false);
    }
 
    /// <summary>
    /// Sets a flag indicating whether the specified <paramref name="user"/> has two factor authentication enabled or not,
    /// as an asynchronous operation.
    /// </summary>
    /// <param name="user">The user whose two factor authentication enabled status should be set.</param>
    /// <param name="enabled">A flag indicating whether the specified <paramref name="user"/> has two factor authentication enabled.</param>
    /// <returns>
    /// The <see cref="Task"/> that represents the asynchronous operation, the <see cref="IdentityResult"/> of the operation
    /// </returns>
    public virtual async Task<IdentityResult> SetTwoFactorEnabledAsync(TUser user, bool enabled)
    {
        ThrowIfDisposed();
        var store = GetUserTwoFactorStore();
        ArgumentNullThrowHelper.ThrowIfNull(user);
 
        await store.SetTwoFactorEnabledAsync(user, enabled, CancellationToken).ConfigureAwait(false);
        await UpdateSecurityStampInternal(user).ConfigureAwait(false);
        return await UpdateUserAsync(user).ConfigureAwait(false);
    }
 
    /// <summary>
    /// Returns a flag indicating whether the specified <paramref name="user"/> is locked out,
    /// as an asynchronous operation.
    /// </summary>
    /// <param name="user">The user whose locked out status should be retrieved.</param>
    /// <returns>
    /// The <see cref="Task"/> that represents the asynchronous operation, true if the specified <paramref name="user "/>
    /// is locked out, otherwise false.
    /// </returns>
    public virtual async Task<bool> IsLockedOutAsync(TUser user)
    {
        ThrowIfDisposed();
        var store = GetUserLockoutStore();
        ArgumentNullThrowHelper.ThrowIfNull(user);
        if (!await store.GetLockoutEnabledAsync(user, CancellationToken).ConfigureAwait(false))
        {
            return false;
        }
        var lockoutTime = await store.GetLockoutEndDateAsync(user, CancellationToken).ConfigureAwait(false);
        return lockoutTime >= DateTimeOffset.UtcNow;
    }
 
    /// <summary>
    /// Sets a flag indicating whether the specified <paramref name="user"/> can be locked out,
    /// as an asynchronous operation.
    /// </summary>
    /// <param name="user">The user whose locked out status should be set.</param>
    /// <param name="enabled">Flag indicating whether the user can be locked out or not.</param>
    /// <returns>
    /// The <see cref="Task"/> that represents the asynchronous operation, the <see cref="IdentityResult"/> of the operation
    /// </returns>
    public virtual async Task<IdentityResult> SetLockoutEnabledAsync(TUser user, bool enabled)
    {
        ThrowIfDisposed();
        var store = GetUserLockoutStore();
        ArgumentNullThrowHelper.ThrowIfNull(user);
 
        await store.SetLockoutEnabledAsync(user, enabled, CancellationToken).ConfigureAwait(false);
        return await UpdateUserAsync(user).ConfigureAwait(false);
    }
 
    /// <summary>
    /// Retrieves a flag indicating whether user lockout can be enabled for the specified user.
    /// </summary>
    /// <param name="user">The user whose ability to be locked out should be returned.</param>
    /// <returns>
    /// The <see cref="Task"/> that represents the asynchronous operation, true if a user can be locked out, otherwise false.
    /// </returns>
    public virtual async Task<bool> GetLockoutEnabledAsync(TUser user)
    {
        ThrowIfDisposed();
        var store = GetUserLockoutStore();
        ArgumentNullThrowHelper.ThrowIfNull(user);
        return await store.GetLockoutEnabledAsync(user, CancellationToken).ConfigureAwait(false);
    }
 
    /// <summary>
    /// Gets the last <see cref="DateTimeOffset"/> a user's last lockout expired, if any.
    /// A time value in the past indicates a user is not currently locked out.
    /// </summary>
    /// <param name="user">The user whose lockout date should be retrieved.</param>
    /// <returns>
    /// A <see cref="Task{TResult}"/> that represents the lookup, a <see cref="DateTimeOffset"/> containing the last time a user's lockout expired, if any.
    /// </returns>
    public virtual async Task<DateTimeOffset?> GetLockoutEndDateAsync(TUser user)
    {
        ThrowIfDisposed();
        var store = GetUserLockoutStore();
        ArgumentNullThrowHelper.ThrowIfNull(user);
        return await store.GetLockoutEndDateAsync(user, CancellationToken).ConfigureAwait(false);
    }
 
    /// <summary>
    /// Locks out a user until the specified end date has passed. Setting a end date in the past immediately unlocks a user.
    /// </summary>
    /// <param name="user">The user whose lockout date should be set.</param>
    /// <param name="lockoutEnd">The <see cref="DateTimeOffset"/> after which the <paramref name="user"/>'s lockout should end.</param>
    /// <returns>The <see cref="Task"/> that represents the asynchronous operation, containing the <see cref="IdentityResult"/> of the operation.</returns>
    public virtual async Task<IdentityResult> SetLockoutEndDateAsync(TUser user, DateTimeOffset? lockoutEnd)
    {
        ThrowIfDisposed();
        var store = GetUserLockoutStore();
        ArgumentNullThrowHelper.ThrowIfNull(user);
 
        if (!await store.GetLockoutEnabledAsync(user, CancellationToken).ConfigureAwait(false))
        {
            Logger.LogDebug(LoggerEventIds.LockoutFailed, "Lockout for user failed because lockout is not enabled for this user.");
            return IdentityResult.Failed(ErrorDescriber.UserLockoutNotEnabled());
        }
        await store.SetLockoutEndDateAsync(user, lockoutEnd, CancellationToken).ConfigureAwait(false);
        return await UpdateUserAsync(user).ConfigureAwait(false);
    }
 
    /// <summary>
    /// Increments the access failed count for the user as an asynchronous operation.
    /// If the failed access account is greater than or equal to the configured maximum number of attempts,
    /// the user will be locked out for the configured lockout time span.
    /// </summary>
    /// <param name="user">The user whose failed access count to increment.</param>
    /// <returns>The <see cref="Task"/> that represents the asynchronous operation, containing the <see cref="IdentityResult"/> of the operation.</returns>
    public virtual async Task<IdentityResult> AccessFailedAsync(TUser user)
    {
        ThrowIfDisposed();
        var store = GetUserLockoutStore();
        ArgumentNullThrowHelper.ThrowIfNull(user);
 
        // If this puts the user over the threshold for lockout, lock them out and reset the access failed count
        var count = await store.IncrementAccessFailedCountAsync(user, CancellationToken).ConfigureAwait(false);
        if (count < Options.Lockout.MaxFailedAccessAttempts)
        {
            return await UpdateUserAsync(user).ConfigureAwait(false);
        }
        Logger.LogDebug(LoggerEventIds.UserLockedOut, "User is locked out.");
        await store.SetLockoutEndDateAsync(user, DateTimeOffset.UtcNow.Add(Options.Lockout.DefaultLockoutTimeSpan),
            CancellationToken).ConfigureAwait(false);
        await store.ResetAccessFailedCountAsync(user, CancellationToken).ConfigureAwait(false);
        return await UpdateUserAsync(user).ConfigureAwait(false);
    }
 
    /// <summary>
    /// Resets the access failed count for the specified <paramref name="user"/>.
    /// </summary>
    /// <param name="user">The user whose failed access count should be reset.</param>
    /// <returns>The <see cref="Task"/> that represents the asynchronous operation, containing the <see cref="IdentityResult"/> of the operation.</returns>
    public virtual async Task<IdentityResult> ResetAccessFailedCountAsync(TUser user)
    {
        ThrowIfDisposed();
        var store = GetUserLockoutStore();
        ArgumentNullThrowHelper.ThrowIfNull(user);
 
        if (await GetAccessFailedCountAsync(user).ConfigureAwait(false) == 0)
        {
            return IdentityResult.Success;
        }
        await store.ResetAccessFailedCountAsync(user, CancellationToken).ConfigureAwait(false);
        return await UpdateUserAsync(user).ConfigureAwait(false);
    }
 
    /// <summary>
    /// Retrieves the current number of failed accesses for the given <paramref name="user"/>.
    /// </summary>
    /// <param name="user">The user whose access failed count should be retrieved for.</param>
    /// <returns>The <see cref="Task"/> that contains the result the asynchronous operation, the current failed access count
    /// for the user.</returns>
    public virtual async Task<int> GetAccessFailedCountAsync(TUser user)
    {
        ThrowIfDisposed();
        var store = GetUserLockoutStore();
        ArgumentNullThrowHelper.ThrowIfNull(user);
        return await store.GetAccessFailedCountAsync(user, CancellationToken).ConfigureAwait(false);
    }
 
    /// <summary>
    /// Returns a list of users from the user store who have the specified <paramref name="claim"/>.
    /// </summary>
    /// <param name="claim">The claim to look for.</param>
    /// <returns>
    /// A <see cref="Task{TResult}"/> that represents the result of the asynchronous query, a list of <typeparamref name="TUser"/>s who
    /// have the specified claim.
    /// </returns>
    public virtual Task<IList<TUser>> GetUsersForClaimAsync(Claim claim)
    {
        ThrowIfDisposed();
        var store = GetClaimStore();
        ArgumentNullThrowHelper.ThrowIfNull(claim);
        return store.GetUsersForClaimAsync(claim, CancellationToken);
    }
 
    /// <summary>
    /// Returns a list of users from the user store who are members of the specified <paramref name="roleName"/>.
    /// </summary>
    /// <param name="roleName">The name of the role whose users should be returned.</param>
    /// <returns>
    /// A <see cref="Task{TResult}"/> that represents the result of the asynchronous query, a list of <typeparamref name="TUser"/>s who
    /// are members of the specified role.
    /// </returns>
    public virtual Task<IList<TUser>> GetUsersInRoleAsync(string roleName)
    {
        ThrowIfDisposed();
        var store = GetUserRoleStore();
        ArgumentNullThrowHelper.ThrowIfNull(roleName);
 
        return store.GetUsersInRoleAsync(NormalizeName(roleName), CancellationToken);
    }
 
    /// <summary>
    /// Returns an authentication token for a user.
    /// </summary>
    /// <param name="user"></param>
    /// <param name="loginProvider">The authentication scheme for the provider the token is associated with.</param>
    /// <param name="tokenName">The name of the token.</param>
    /// <returns>The authentication token for a user</returns>
    public virtual Task<string?> GetAuthenticationTokenAsync(TUser user, string loginProvider, string tokenName)
    {
        ThrowIfDisposed();
        var store = GetAuthenticationTokenStore();
        ArgumentNullThrowHelper.ThrowIfNull(user);
        ArgumentNullThrowHelper.ThrowIfNull(loginProvider);
        ArgumentNullThrowHelper.ThrowIfNull(tokenName);
 
        return store.GetTokenAsync(user, loginProvider, tokenName, CancellationToken);
    }
 
    /// <summary>
    /// Sets an authentication token for a user.
    /// </summary>
    /// <param name="user"></param>
    /// <param name="loginProvider">The authentication scheme for the provider the token is associated with.</param>
    /// <param name="tokenName">The name of the token.</param>
    /// <param name="tokenValue">The value of the token.</param>
    /// <returns>Whether the user was successfully updated.</returns>
    public virtual async Task<IdentityResult> SetAuthenticationTokenAsync(TUser user, string loginProvider, string tokenName, string? tokenValue)
    {
        ThrowIfDisposed();
        var store = GetAuthenticationTokenStore();
        ArgumentNullThrowHelper.ThrowIfNull(user);
        ArgumentNullThrowHelper.ThrowIfNull(loginProvider);
        ArgumentNullThrowHelper.ThrowIfNull(tokenName);
 
        // REVIEW: should updating any tokens affect the security stamp?
        await store.SetTokenAsync(user, loginProvider, tokenName, tokenValue, CancellationToken).ConfigureAwait(false);
        return await UpdateUserAsync(user).ConfigureAwait(false);
    }
 
    /// <summary>
    /// Remove an authentication token for a user.
    /// </summary>
    /// <param name="user"></param>
    /// <param name="loginProvider">The authentication scheme for the provider the token is associated with.</param>
    /// <param name="tokenName">The name of the token.</param>
    /// <returns>Whether a token was removed.</returns>
    public virtual async Task<IdentityResult> RemoveAuthenticationTokenAsync(TUser user, string loginProvider, string tokenName)
    {
        ThrowIfDisposed();
        var store = GetAuthenticationTokenStore();
        ArgumentNullThrowHelper.ThrowIfNull(user);
        ArgumentNullThrowHelper.ThrowIfNull(loginProvider);
        ArgumentNullThrowHelper.ThrowIfNull(tokenName);
 
        await store.RemoveTokenAsync(user, loginProvider, tokenName, CancellationToken).ConfigureAwait(false);
        return await UpdateUserAsync(user).ConfigureAwait(false);
    }
 
    /// <summary>
    /// Returns the authenticator key for the user.
    /// </summary>
    /// <param name="user">The user.</param>
    /// <returns>The authenticator key</returns>
    public virtual Task<string?> GetAuthenticatorKeyAsync(TUser user)
    {
        ThrowIfDisposed();
        var store = GetAuthenticatorKeyStore();
        ArgumentNullThrowHelper.ThrowIfNull(user);
        return store.GetAuthenticatorKeyAsync(user, CancellationToken);
    }
 
    /// <summary>
    /// Resets the authenticator key for the user.
    /// </summary>
    /// <param name="user">The user.</param>
    /// <returns>Whether the user was successfully updated.</returns>
    public virtual async Task<IdentityResult> ResetAuthenticatorKeyAsync(TUser user)
    {
        ThrowIfDisposed();
        var store = GetAuthenticatorKeyStore();
        ArgumentNullThrowHelper.ThrowIfNull(user);
        await store.SetAuthenticatorKeyAsync(user, GenerateNewAuthenticatorKey(), CancellationToken).ConfigureAwait(false);
        await UpdateSecurityStampInternal(user).ConfigureAwait(false);
        return await UpdateAsync(user).ConfigureAwait(false);
    }
 
    /// <summary>
    /// Generates a new base32 encoded 160-bit security secret (size of SHA1 hash).
    /// </summary>
    /// <returns>The new security secret.</returns>
    public virtual string GenerateNewAuthenticatorKey()
        => NewSecurityStamp();
 
    /// <summary>
    /// Generates recovery codes for the user, this invalidates any previous recovery codes for the user.
    /// </summary>
    /// <param name="user">The user to generate recovery codes for.</param>
    /// <param name="number">The number of codes to generate.</param>
    /// <returns>The new recovery codes for the user.  Note: there may be less than number returned, as duplicates will be removed.</returns>
    public virtual async Task<IEnumerable<string>?> GenerateNewTwoFactorRecoveryCodesAsync(TUser user, int number)
    {
        ThrowIfDisposed();
        var store = GetRecoveryCodeStore();
        ArgumentNullThrowHelper.ThrowIfNull(user);
 
        var newCodes = new List<string>(number);
        for (var i = 0; i < number; i++)
        {
            newCodes.Add(CreateTwoFactorRecoveryCode());
        }
 
        await store.ReplaceCodesAsync(user, newCodes.Distinct(), CancellationToken).ConfigureAwait(false);
        var update = await UpdateAsync(user).ConfigureAwait(false);
        if (update.Succeeded)
        {
            return newCodes;
        }
        return null;
    }
 
    /// <summary>
    /// Generate a new recovery code.
    /// </summary>
    /// <returns></returns>
    protected virtual string CreateTwoFactorRecoveryCode()
    {
#if NET6_0_OR_GREATER
        return string.Create(11, 0, static (buffer, _) =>
        {
            buffer[10] = GetRandomRecoveryCodeChar();
            buffer[9] = GetRandomRecoveryCodeChar();
            buffer[8] = GetRandomRecoveryCodeChar();
            buffer[7] = GetRandomRecoveryCodeChar();
            buffer[6] = GetRandomRecoveryCodeChar();
            buffer[5] = '-';
            buffer[4] = GetRandomRecoveryCodeChar();
            buffer[3] = GetRandomRecoveryCodeChar();
            buffer[2] = GetRandomRecoveryCodeChar();
            buffer[1] = GetRandomRecoveryCodeChar();
            buffer[0] = GetRandomRecoveryCodeChar();
        });
#else
        var recoveryCode = new StringBuilder(11);
        recoveryCode.Append(GetRandomRecoveryCodeChar());
        recoveryCode.Append(GetRandomRecoveryCodeChar());
        recoveryCode.Append(GetRandomRecoveryCodeChar());
        recoveryCode.Append(GetRandomRecoveryCodeChar());
        recoveryCode.Append(GetRandomRecoveryCodeChar());
        recoveryCode.Append('-');
        recoveryCode.Append(GetRandomRecoveryCodeChar());
        recoveryCode.Append(GetRandomRecoveryCodeChar());
        recoveryCode.Append(GetRandomRecoveryCodeChar());
        recoveryCode.Append(GetRandomRecoveryCodeChar());
        recoveryCode.Append(GetRandomRecoveryCodeChar());
        return recoveryCode.ToString();
#endif
    }
 
    // We don't want to use any confusing characters like 0/O 1/I/L/l
    // Taken from windows valid product key source
    private static readonly char[] AllowedChars = "23456789BCDFGHJKMNPQRTVWXY".ToCharArray();
    private static char GetRandomRecoveryCodeChar()
    {
        // Based on RandomNumberGenerator implementation of GetInt32
        uint range = (uint)AllowedChars.Length - 1;
 
        // Create a mask for the bits that we care about for the range. The other bits will be
        // masked away.
        uint mask = range;
        mask |= mask >> 1;
        mask |= mask >> 2;
        mask |= mask >> 4;
        mask |= mask >> 8;
        mask |= mask >> 16;
 
#if NETCOREAPP
        Span<uint> resultBuffer = stackalloc uint[1];
#else
        var resultBuffer = new byte[1];
#endif
        uint result;
 
        do
        {
#if NETCOREAPP
            RandomNumberGenerator.Fill(MemoryMarshal.AsBytes(resultBuffer));
#else
            _rng.GetBytes(resultBuffer);
#endif
            result = mask & resultBuffer[0];
        }
        while (result > range);
 
        return AllowedChars[(int)result];
    }
 
    /// <summary>
    /// Returns whether a recovery code is valid for a user. Note: recovery codes are only valid
    /// once, and will be invalid after use.
    /// </summary>
    /// <param name="user">The user who owns the recovery code.</param>
    /// <param name="code">The recovery code to use.</param>
    /// <returns>True if the recovery code was found for the user.</returns>
    public virtual async Task<IdentityResult> RedeemTwoFactorRecoveryCodeAsync(TUser user, string code)
    {
        ThrowIfDisposed();
        var store = GetRecoveryCodeStore();
        ArgumentNullThrowHelper.ThrowIfNull(user);
 
        var success = await store.RedeemCodeAsync(user, code, CancellationToken).ConfigureAwait(false);
        if (success)
        {
            return await UpdateAsync(user).ConfigureAwait(false);
        }
        return IdentityResult.Failed(ErrorDescriber.RecoveryCodeRedemptionFailed());
    }
 
    /// <summary>
    /// Returns how many recovery code are still valid for a user.
    /// </summary>
    /// <param name="user">The user.</param>
    /// <returns>How many recovery code are still valid for a user.</returns>
    public virtual Task<int> CountRecoveryCodesAsync(TUser user)
    {
        ThrowIfDisposed();
        var store = GetRecoveryCodeStore();
        ArgumentNullThrowHelper.ThrowIfNull(user);
 
        return store.CountCodesAsync(user, CancellationToken);
    }
 
    /// <summary>
    /// Releases the unmanaged resources used by the role manager and optionally releases the managed resources.
    /// </summary>
    /// <param name="disposing">true to release both managed and unmanaged resources; false to release only unmanaged resources.</param>
    protected virtual void Dispose(bool disposing)
    {
        if (disposing && !_disposed)
        {
            Store.Dispose();
            _disposed = true;
        }
    }
 
    private IUserTwoFactorStore<TUser> GetUserTwoFactorStore()
    {
        var cast = Store as IUserTwoFactorStore<TUser>;
        if (cast == null)
        {
            throw new NotSupportedException(Resources.StoreNotIUserTwoFactorStore);
        }
        return cast;
    }
 
    private IUserLockoutStore<TUser> GetUserLockoutStore()
    {
        var cast = Store as IUserLockoutStore<TUser>;
        if (cast == null)
        {
            throw new NotSupportedException(Resources.StoreNotIUserLockoutStore);
        }
        return cast;
    }
 
    private IUserEmailStore<TUser> GetEmailStore()
    {
        if (Store is not IUserEmailStore<TUser> emailStore)
        {
            throw new NotSupportedException(Resources.StoreNotIUserEmailStore);
        }
        return emailStore;
    }
 
    private IUserEmailStore<TUser>? GetOptionalEmailStore()
    {
        return Store as IUserEmailStore<TUser>;
    }
 
    private IUserPhoneNumberStore<TUser> GetPhoneNumberStore()
    {
        var cast = Store as IUserPhoneNumberStore<TUser>;
        if (cast == null)
        {
            throw new NotSupportedException(Resources.StoreNotIUserPhoneNumberStore);
        }
        return cast;
    }
 
    /// <summary>
    /// Creates bytes to use as a security token from the user's security stamp.
    /// </summary>
    /// <param name="user">The user.</param>
    /// <returns>The security token bytes.</returns>
    public virtual async Task<byte[]> CreateSecurityTokenAsync(TUser user)
    {
        return Encoding.Unicode.GetBytes(await GetSecurityStampAsync(user).ConfigureAwait(false));
    }
 
    // Update the security stamp if the store supports it
    private async Task UpdateSecurityStampInternal(TUser user)
    {
        if (SupportsUserSecurityStamp)
        {
            await GetSecurityStore().SetSecurityStampAsync(user, NewSecurityStamp(), CancellationToken).ConfigureAwait(false);
        }
    }
 
    /// <summary>
    /// Updates a user's password hash.
    /// </summary>
    /// <param name="user">The user.</param>
    /// <param name="newPassword">The new password.</param>
    /// <param name="validatePassword">Whether to validate the password.</param>
    /// <returns>Whether the password has was successfully updated.</returns>
    protected virtual Task<IdentityResult> UpdatePasswordHash(TUser user, string newPassword, bool validatePassword)
        => UpdatePasswordHash(GetPasswordStore(), user, newPassword, validatePassword);
 
    private async Task<IdentityResult> UpdatePasswordHash(IUserPasswordStore<TUser> passwordStore,
        TUser user, string? newPassword, bool validatePassword = true)
    {
        if (validatePassword)
        {
            var validate = await ValidatePasswordAsync(user, newPassword).ConfigureAwait(false);
            if (!validate.Succeeded)
            {
                return validate;
            }
        }
        var hash = newPassword != null ? PasswordHasher.HashPassword(user, newPassword) : null;
        await passwordStore.SetPasswordHashAsync(user, hash, CancellationToken).ConfigureAwait(false);
        await UpdateSecurityStampInternal(user).ConfigureAwait(false);
        return IdentityResult.Success;
    }
 
    private IUserRoleStore<TUser> GetUserRoleStore()
    {
        var cast = Store as IUserRoleStore<TUser>;
        if (cast == null)
        {
            throw new NotSupportedException(Resources.StoreNotIUserRoleStore);
        }
        return cast;
    }
 
    private static string NewSecurityStamp()
    {
#if NETSTANDARD2_0 || NETFRAMEWORK
        byte[] bytes = new byte[20];
        _rng.GetBytes(bytes);
        return Base32.ToBase32(bytes);
#else
        return Base32.GenerateBase32();
#endif
    }
 
    // IUserLoginStore methods
    private IUserLoginStore<TUser> GetLoginStore()
    {
        var cast = Store as IUserLoginStore<TUser>;
        if (cast == null)
        {
            throw new NotSupportedException(Resources.StoreNotIUserLoginStore);
        }
        return cast;
    }
 
    private IUserSecurityStampStore<TUser> GetSecurityStore()
    {
        var cast = Store as IUserSecurityStampStore<TUser>;
        if (cast == null)
        {
            throw new NotSupportedException(Resources.StoreNotIUserSecurityStampStore);
        }
        return cast;
    }
 
    private IUserClaimStore<TUser> GetClaimStore()
    {
        var cast = Store as IUserClaimStore<TUser>;
        if (cast == null)
        {
            throw new NotSupportedException(Resources.StoreNotIUserClaimStore);
        }
        return cast;
    }
 
    /// <summary>
    /// Generates the token purpose used to change email.
    /// </summary>
    /// <param name="newEmail">The new email address.</param>
    /// <returns>The token purpose.</returns>
    public static string GetChangeEmailTokenPurpose(string newEmail) => "ChangeEmail:" + newEmail;
 
    /// <summary>
    /// Should return <see cref="IdentityResult.Success"/> if validation is successful. This is
    /// called before saving the user via Create or Update.
    /// </summary>
    /// <param name="user">The user</param>
    /// <returns>A <see cref="IdentityResult"/> representing whether validation was successful.</returns>
    protected async Task<IdentityResult> ValidateUserAsync(TUser user)
    {
        if (SupportsUserSecurityStamp)
        {
            var stamp = await GetSecurityStampAsync(user).ConfigureAwait(false);
            if (stamp == null)
            {
                throw new InvalidOperationException(Resources.NullSecurityStamp);
            }
        }
        List<IdentityError>? errors = null;
        foreach (var v in UserValidators)
        {
            var result = await v.ValidateAsync(this, user).ConfigureAwait(false);
            if (!result.Succeeded)
            {
                errors ??= new List<IdentityError>();
                errors.AddRange(result.Errors);
            }
        }
        if (errors?.Count > 0)
        {
            if (Logger.IsEnabled(LogLevel.Debug))
            {
                Logger.LogDebug(LoggerEventIds.UserValidationFailed, "User validation failed: {errors}.", string.Join(";", errors.Select(e => e.Code)));
            }
            return IdentityResult.Failed(errors);
        }
        return IdentityResult.Success;
    }
 
    /// <summary>
    /// Should return <see cref="IdentityResult.Success"/> if validation is successful. This is
    /// called before updating the password hash.
    /// </summary>
    /// <param name="user">The user.</param>
    /// <param name="password">The password.</param>
    /// <returns>A <see cref="IdentityResult"/> representing whether validation was successful.</returns>
    protected async Task<IdentityResult> ValidatePasswordAsync(TUser user, string? password)
    {
        List<IdentityError>? errors = null;
        var isValid = true;
        foreach (var v in PasswordValidators)
        {
            var result = await v.ValidateAsync(this, user, password).ConfigureAwait(false);
            if (!result.Succeeded)
            {
                if (result.Errors.Any())
                {
                    errors ??= new List<IdentityError>();
                    errors.AddRange(result.Errors);
                }
 
                isValid = false;
            }
        }
        if (!isValid)
        {
            if (Logger.IsEnabled(LogLevel.Debug))
            {
                Logger.LogDebug(LoggerEventIds.PasswordValidationFailed, "User password validation failed: {errors}.", string.Join(";", errors?.Select(e => e.Code) ?? Array.Empty<string>()));
            }
            return IdentityResult.Failed(errors);
        }
        return IdentityResult.Success;
    }
 
    /// <summary>
    /// Called to update the user after validating and updating the normalized email/user name.
    /// </summary>
    /// <param name="user">The user.</param>
    /// <returns>Whether the operation was successful.</returns>
    protected virtual async Task<IdentityResult> UpdateUserAsync(TUser user)
    {
        var result = await ValidateUserAsync(user).ConfigureAwait(false);
        if (!result.Succeeded)
        {
            return result;
        }
        await UpdateNormalizedUserNameAsync(user).ConfigureAwait(false);
        await UpdateNormalizedEmailAsync(user).ConfigureAwait(false);
        return await Store.UpdateAsync(user, CancellationToken).ConfigureAwait(false);
    }
 
    private IUserAuthenticatorKeyStore<TUser> GetAuthenticatorKeyStore()
    {
        var cast = Store as IUserAuthenticatorKeyStore<TUser>;
        if (cast == null)
        {
            throw new NotSupportedException(Resources.StoreNotIUserAuthenticatorKeyStore);
        }
        return cast;
    }
 
    private IUserTwoFactorRecoveryCodeStore<TUser> GetRecoveryCodeStore()
    {
        var cast = Store as IUserTwoFactorRecoveryCodeStore<TUser>;
        if (cast == null)
        {
            throw new NotSupportedException(Resources.StoreNotIUserTwoFactorRecoveryCodeStore);
        }
        return cast;
    }
 
    private IUserAuthenticationTokenStore<TUser> GetAuthenticationTokenStore()
    {
        var cast = Store as IUserAuthenticationTokenStore<TUser>;
        if (cast == null)
        {
            throw new NotSupportedException(Resources.StoreNotIUserAuthenticationTokenStore);
        }
        return cast;
    }
 
    private IUserPasswordStore<TUser> GetPasswordStore()
    {
        var cast = Store as IUserPasswordStore<TUser>;
        if (cast == null)
        {
            throw new NotSupportedException(Resources.StoreNotIUserPasswordStore);
        }
        return cast;
    }
 
    /// <summary>
    /// Throws if this class has been disposed.
    /// </summary>
    protected void ThrowIfDisposed()
    {
        ObjectDisposedThrowHelper.ThrowIf(_disposed, this);
    }
}