Does anyone have examples of a custom data protector token provider?
It seems to me the way it's done now is overly complex and results in very long URL's.
Typically we have just implemented the "code" flag to be a GUID value, and we would compare that GUID value to the generated time stamp in the database to ensure that A) The GUID is for the user ID in question, and B) that it has not expired
Whats wrong with a GUID and the expiration database check?
It results in much shorter URL's and is way easier to implement. Why all the complexity of RFC6238?