I generate a forgot password token in the following way:

var code = await _userService.GeneratePasswordResetTokenAsync(user);
code = WebEncoders.Base64UrlEncode(Encoding.UTF8.GetBytes(code));
var callbackUrl = $"{_websiteUrl}/Account/ResetPassword/?code={WebUtility.UrlEncode(code)}";

I then use it to reset the password in the following way:

var code = Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(requestModel.Code));
var result = await _userService.ResetPasswordAsync(user, code, requestModel.Password);
return result.Succeeded;

Now if I run the code above it works. Password gets reset and all is great. However, if I wait roughly about one hour after generating the code and then using the token, I get InvalidToken from ResetPasswordAsync method.

As I understand it, the default expiration time should be 24 hours. This should not be happening. The other thing is I tried to explicitly set the token to be 48 hours and it still becomes invalid after 1 hour.

In startup I have added this after .AddIdentity

services.Configure<DataProtectionTokenProviderOptions>(o => o.TokenLifespan = TimeSpan.FromDays(2));

Is there something I am not aware of? I am using c# and .NET 6.0