diff --git a/IdentityRole.cs b/IdentityRole.cs
new file mode 100644
index 0000000..fb48863
--- /dev/null
+++ b/IdentityRole.cs
@@ -0,0 +1,49 @@
+using MongoDB.Bson;
+using MongoDB.Bson.Serialization.Attributes;
+
+namespace MongoDB.AspNet.Identity
+{
+    /// <summary>
+    /// Represents a role in the identity system.
+    /// </summary>
+    public class IdentityRole
+    {
+        /// <summary>
+        /// Gets or sets the unique identifier for this role.
+        /// </summary>
+        [BsonId]
+        [BsonRepresentation(BsonType.ObjectId)]
+        public virtual string Id { get; set; } = ObjectId.GenerateNewId().ToString();
+
+        /// <summary>
+        /// Gets or sets the name for this role.
+        /// </summary>
+        public virtual string? Name { get; set; }
+
+        /// <summary>
+        /// Gets or sets the normalized name for this role.
+        /// </summary>
+        public virtual string? NormalizedName { get; set; }
+
+        /// <summary>
+        /// Gets or sets a random value that should change when the role is persisted to the store.
+        /// </summary>
+        public virtual string? ConcurrencyStamp { get; set; } = Guid.NewGuid().ToString();
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="IdentityRole"/> class.
+        /// </summary>
+        public IdentityRole()
+        {
+        }
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="IdentityRole"/> class with the specified role name.
+        /// </summary>
+        /// <param name="roleName">The role name.</param>
+        public IdentityRole(string roleName) : this()
+        {
+            Name = roleName;
+        }
+    }
+}
diff --git a/IdentityUser.cs b/IdentityUser.cs
index 01527e6..98a6adc 100644
--- a/IdentityUser.cs
+++ b/IdentityUser.cs
@@ -1,109 +1,124 @@
-using System;
-using System.Collections.Generic;
-using System.Threading.Tasks;
-using Microsoft.AspNet.Identity;
 using MongoDB.Bson;
 using MongoDB.Bson.Serialization.Attributes;
 
-
 namespace MongoDB.AspNet.Identity
 {
     /// <summary>
-    /// Class IdentityUser.
+    /// Represents a user in the identity system.
     /// </summary>
-    public class IdentityUser : IUser<string>
+    public class IdentityUser
     {
         /// <summary>
-        /// Unique key for the user
+        /// Gets or sets the unique identifier for this user.
         /// </summary>
-        /// <value>The identifier.</value>
-        /// <returns>The unique key for the user</returns>
         [BsonId]
         [BsonRepresentation(BsonType.ObjectId)]
-	    public virtual string Id { get; set; }
+        public virtual string Id { get; set; } = null!;
+
         /// <summary>
-        /// Gets or sets the name of the user.
+        /// Gets or sets the user name for this user.
         /// </summary>
-        /// <value>The name of the user.</value>
-		public virtual string UserName { get; set; }
+        public virtual string? UserName { get; set; }
+
         /// <summary>
-        /// Gets or sets the password hash.
+        /// Gets or sets the normalized user name for this user.
         /// </summary>
-        /// <value>The password hash.</value>
-		public virtual string PasswordHash { get; set; }
+        public virtual string? NormalizedUserName { get; set; }
+
         /// <summary>
-        /// Gets or sets the security stamp.
+        /// Gets or sets the email address for this user.
         /// </summary>
-        /// <value>The security stamp.</value>
-		public virtual string SecurityStamp { get; set; }
+        public virtual string? Email { get; set; }
+
         /// <summary>
-        /// Gets the roles.
+        /// Gets or sets the normalized email address for this user.
         /// </summary>
-        /// <value>The roles.</value>
-		public virtual List<string> Roles { get; private set; }
+        public virtual string? NormalizedEmail { get; set; }
+
         /// <summary>
-        /// Gets the claims.
+        /// Gets or sets a flag indicating if the email address has been confirmed.
         /// </summary>
-        /// <value>The claims.</value>
-		public virtual List<IdentityUserClaim> Claims { get; private set; }
+        public virtual bool EmailConfirmed { get; set; }
+
         /// <summary>
-        /// Gets the logins.
+        /// Gets or sets the password hash for this user.
         /// </summary>
-        /// <value>The logins.</value>
-		public virtual List<UserLoginInfo> Logins { get; private set; }
+        public virtual string? PasswordHash { get; set; }
 
         /// <summary>
-        /// Gets the phone number
+        /// Gets or sets a random value that should change when a user's credentials change.
         /// </summary>
-        public virtual string PhoneNumber { get; set; }
+        public virtual string? SecurityStamp { get; set; }
 
         /// <summary>
-        /// Gets Email address
+        /// Gets or sets a random value that should change when a user is persisted to the store.
         /// </summary>
-        public virtual string Email { get; set; }
+        public virtual string? ConcurrencyStamp { get; set; } = Guid.NewGuid().ToString();
 
         /// <summary>
-        /// 
+        /// Gets or sets the phone number for this user.
         /// </summary>
-        public virtual bool EmailConfirmed { get; set; }
+        public virtual string? PhoneNumber { get; set; }
+
+        /// <summary>
+        /// Gets or sets a flag indicating if the phone number has been confirmed.
+        /// </summary>
+        public virtual bool PhoneNumberConfirmed { get; set; }
 
         /// <summary>
-        /// 
+        /// Gets or sets a flag indicating if two factor authentication is enabled for this user.
         /// </summary>
-        public DateTime? LockoutEndDateUtc { get; set; } = DateTime.Now.ToUniversalTime();
+        public virtual bool TwoFactorEnabled { get; set; }
 
         /// <summary>
-        /// 
+        /// Gets or sets the date and time when any user lockout ends.
         /// </summary>
-        public int AccessFailedCount { get; set; }
+        public virtual DateTimeOffset? LockoutEnd { get; set; }
 
         /// <summary>
-        /// 
+        /// Gets or sets a flag indicating if lockout is enabled for this user.
         /// </summary>
-        public bool LockoutEnabled { get; set; }
+        public virtual bool LockoutEnabled { get; set; }
 
         /// <summary>
-        /// 
+        /// Gets or sets the number of failed login attempts for this user.
         /// </summary>
-        public bool TwoFactorEnabled { get; set; }
+        public virtual int AccessFailedCount { get; set; }
+
+        /// <summary>
+        /// Gets the roles for this user.
+        /// </summary>
+        public virtual List<string> Roles { get; private set; } = new List<string>();
+
+        /// <summary>
+        /// Gets the claims for this user.
+        /// </summary>
+        public virtual List<IdentityUserClaim> Claims { get; private set; } = new List<IdentityUserClaim>();
+
+        /// <summary>
+        /// Gets the logins for this user.
+        /// </summary>
+        public virtual List<IdentityUserLogin> Logins { get; private set; } = new List<IdentityUserLogin>();
+
+        /// <summary>
+        /// Gets the authentication tokens for this user.
+        /// </summary>
+        public virtual List<IdentityUserToken> Tokens { get; private set; } = new List<IdentityUserToken>();
 
         /// <summary>
         /// Initializes a new instance of the <see cref="IdentityUser"/> class.
         /// </summary>
         public IdentityUser()
-		{
-			this.Claims = new List<IdentityUserClaim>();
-			this.Roles = new List<string>();
-			this.Logins = new List<UserLoginInfo>();
-		}
+        {
+        }
 
         /// <summary>
-        /// Initializes a new instance of the <see cref="IdentityUser"/> class.
+        /// Initializes a new instance of the <see cref="IdentityUser"/> class with the specified user name.
         /// </summary>
-        /// <param name="userName">Name of the user.</param>
-		public IdentityUser(string userName) : this()
-		{
-			this.UserName = userName;
-		}
-	}
+        /// <param name="userName">The user name.</param>
+        public IdentityUser(string userName) : this()
+        {
+            UserName = userName;
+        }
+    }
 }
diff --git a/IdentityUserClaim.cs b/IdentityUserClaim.cs
index 2482390..7b01788 100644
--- a/IdentityUserClaim.cs
+++ b/IdentityUserClaim.cs
@@ -1,35 +1,39 @@
-using MongoDB.Bson;
-using MongoDB.Bson.Serialization.Attributes;
+using System.Security.Claims;
 
 namespace MongoDB.AspNet.Identity
 {
     /// <summary>
-    /// Class IdentityUserClaim.
+    /// Represents a claim that a user possesses.
     /// </summary>
     public class IdentityUserClaim
     {
         /// <summary>
-        /// Gets or sets the identifier.
+        /// Gets or sets the claim type for this claim.
         /// </summary>
-        /// <value>The identifier.</value>
-        [BsonId]
-        [BsonRepresentation(BsonType.ObjectId)]
-        public virtual string Id { get; set; }
+        public virtual string ClaimType { get; set; } = null!;
+
         /// <summary>
-        /// Gets or sets the user identifier.
+        /// Gets or sets the claim value for this claim.
         /// </summary>
-        /// <value>The user identifier.</value>
-        public virtual string UserId { get; set; }
+        public virtual string? ClaimValue { get; set; }
+
         /// <summary>
-        /// Gets or sets the type of the claim.
+        /// Converts the entity into a Claim instance.
         /// </summary>
-        /// <value>The type of the claim.</value>
-        public virtual string ClaimType { get; set; }
+        /// <returns>A <see cref="Claim"/> representing the claim.</returns>
+        public virtual Claim ToClaim()
+        {
+            return new Claim(ClaimType, ClaimValue ?? string.Empty);
+        }
+
         /// <summary>
-        /// Gets or sets the claim value.
+        /// Initializes this instance from the specified claim.
         /// </summary>
-        /// <value>The claim value.</value>
-        public virtual string ClaimValue { get; set; }
-        
+        /// <param name="claim">The claim to initialize from.</param>
+        public virtual void InitializeFromClaim(Claim claim)
+        {
+            ClaimType = claim.Type;
+            ClaimValue = claim.Value;
+        }
     }
-}
\ No newline at end of file
+}
diff --git a/IdentityUserLogin.cs b/IdentityUserLogin.cs
new file mode 100644
index 0000000..074935c
--- /dev/null
+++ b/IdentityUserLogin.cs
@@ -0,0 +1,23 @@
+namespace MongoDB.AspNet.Identity
+{
+    /// <summary>
+    /// Represents a login and its associated provider for a user.
+    /// </summary>
+    public class IdentityUserLogin
+    {
+        /// <summary>
+        /// Gets or sets the login provider (e.g., google, facebook, twitter).
+        /// </summary>
+        public virtual string LoginProvider { get; set; } = null!;
+
+        /// <summary>
+        /// Gets or sets the unique identifier for this login provided by the login provider.
+        /// </summary>
+        public virtual string ProviderKey { get; set; } = null!;
+
+        /// <summary>
+        /// Gets or sets the friendly name used in a UI for this login.
+        /// </summary>
+        public virtual string? ProviderDisplayName { get; set; }
+    }
+}
diff --git a/IdentityUserToken.cs b/IdentityUserToken.cs
new file mode 100644
index 0000000..7622d54
--- /dev/null
+++ b/IdentityUserToken.cs
@@ -0,0 +1,23 @@
+namespace MongoDB.AspNet.Identity
+{
+    /// <summary>
+    /// Represents an authentication token for a user.
+    /// </summary>
+    public class IdentityUserToken
+    {
+        /// <summary>
+        /// Gets or sets the login provider this token is from.
+        /// </summary>
+        public virtual string LoginProvider { get; set; } = null!;
+
+        /// <summary>
+        /// Gets or sets the name of the token.
+        /// </summary>
+        public virtual string Name { get; set; } = null!;
+
+        /// <summary>
+        /// Gets or sets the value of the token.
+        /// </summary>
+        public virtual string? Value { get; set; }
+    }
+}
diff --git a/MigrationHelper.cs b/MigrationHelper.cs
new file mode 100644
index 0000000..efd8674
--- /dev/null
+++ b/MigrationHelper.cs
@@ -0,0 +1,383 @@
+using MongoDB.Bson;
+using MongoDB.Driver;
+
+namespace MongoDB.AspNet.Identity
+{
+    /// <summary>
+    /// Handles automatic migration of legacy ASP.NET Identity documents to ASP.NET Core Identity format
+    /// and ensures proper indexes exist.
+    /// </summary>
+    public static class MigrationHelper
+    {
+        private const string MigrationCollectionName = "_IdentityMigrations";
+        private const string UsersMigrationKey = "AspNetUsers_v2";
+        private const string RolesMigrationKey = "AspNetRoles_v2";
+
+        /// <summary>
+        /// Ensures the users collection is migrated and indexed.
+        /// This method is idempotent and safe to call multiple times.
+        /// </summary>
+        /// <typeparam name="TUser">The user type.</typeparam>
+        /// <param name="database">The MongoDB database.</param>
+        /// <param name="collectionName">The users collection name.</param>
+        /// <param name="cancellationToken">Cancellation token.</param>
+        public static async Task EnsureUsersMigratedAsync<TUser>(
+            IMongoDatabase database,
+            string collectionName = "AspNetUsers",
+            CancellationToken cancellationToken = default)
+            where TUser : IdentityUser
+        {
+            if (await IsMigrationCompletedAsync(database, UsersMigrationKey, cancellationToken))
+            {
+                return;
+            }
+
+            var collection = database.GetCollection<BsonDocument>(collectionName);
+
+            // Migrate documents that don't have NormalizedUserName
+            await MigrateUsersAsync(collection, cancellationToken);
+
+            // Create indexes
+            await CreateUserIndexesAsync(collection, cancellationToken);
+
+            // Mark migration as complete
+            await MarkMigrationCompletedAsync(database, UsersMigrationKey, cancellationToken);
+        }
+
+        /// <summary>
+        /// Ensures the roles collection is migrated and indexed.
+        /// This method is idempotent and safe to call multiple times.
+        /// </summary>
+        /// <param name="database">The MongoDB database.</param>
+        /// <param name="collectionName">The roles collection name.</param>
+        /// <param name="cancellationToken">Cancellation token.</param>
+        public static async Task EnsureRolesMigratedAsync(
+            IMongoDatabase database,
+            string collectionName = "AspNetRoles",
+            CancellationToken cancellationToken = default)
+        {
+            if (await IsMigrationCompletedAsync(database, RolesMigrationKey, cancellationToken))
+            {
+                return;
+            }
+
+            var collection = database.GetCollection<BsonDocument>(collectionName);
+
+            // Migrate documents that don't have NormalizedName
+            await MigrateRolesAsync(collection, cancellationToken);
+
+            // Create indexes
+            await CreateRoleIndexesAsync(collection, cancellationToken);
+
+            // Mark migration as complete
+            await MarkMigrationCompletedAsync(database, RolesMigrationKey, cancellationToken);
+        }
+
+        private static async Task<bool> IsMigrationCompletedAsync(
+            IMongoDatabase database,
+            string migrationKey,
+            CancellationToken cancellationToken)
+        {
+            var migrationCollection = database.GetCollection<BsonDocument>(MigrationCollectionName);
+            var filter = Builders<BsonDocument>.Filter.Eq("_id", migrationKey);
+            var doc = await migrationCollection.Find(filter).FirstOrDefaultAsync(cancellationToken);
+            return doc != null;
+        }
+
+        private static async Task MarkMigrationCompletedAsync(
+            IMongoDatabase database,
+            string migrationKey,
+            CancellationToken cancellationToken)
+        {
+            var migrationCollection = database.GetCollection<BsonDocument>(MigrationCollectionName);
+            var doc = new BsonDocument
+            {
+                { "_id", migrationKey },
+                { "completedAt", DateTime.UtcNow },
+                { "version", "2.0.0" }
+            };
+
+            await migrationCollection.ReplaceOneAsync(
+                Builders<BsonDocument>.Filter.Eq("_id", migrationKey),
+                doc,
+                new ReplaceOptions { IsUpsert = true },
+                cancellationToken);
+        }
+
+        private static async Task MigrateUsersAsync(
+            IMongoCollection<BsonDocument> collection,
+            CancellationToken cancellationToken)
+        {
+            // Find all documents that need migration (NormalizedUserName doesn't exist or is null)
+            var filter = Builders<BsonDocument>.Filter.Or(
+                Builders<BsonDocument>.Filter.Exists("NormalizedUserName", false),
+                Builders<BsonDocument>.Filter.Eq("NormalizedUserName", BsonNull.Value)
+            );
+
+            var cursor = await collection.FindAsync(filter, cancellationToken: cancellationToken);
+            var batch = new List<WriteModel<BsonDocument>>();
+
+            await cursor.ForEachAsync(doc =>
+            {
+                var updates = new List<UpdateDefinition<BsonDocument>>();
+
+                // Normalize UserName
+                if (doc.Contains("UserName") && doc["UserName"] != BsonNull.Value)
+                {
+                    var userName = doc["UserName"].AsString;
+                    updates.Add(Builders<BsonDocument>.Update.Set("NormalizedUserName", userName.ToUpperInvariant()));
+                }
+
+                // Normalize Email
+                if (doc.Contains("Email") && doc["Email"] != BsonNull.Value)
+                {
+                    var email = doc["Email"].AsString;
+                    updates.Add(Builders<BsonDocument>.Update.Set("NormalizedEmail", email.ToUpperInvariant()));
+                }
+
+                // Convert LockoutEndDateUtc to LockoutEnd if it exists
+                if (doc.Contains("LockoutEndDateUtc") && doc["LockoutEndDateUtc"] != BsonNull.Value)
+                {
+                    var lockoutEndUtc = doc["LockoutEndDateUtc"].ToUniversalTime();
+                    updates.Add(Builders<BsonDocument>.Update.Set("LockoutEnd", lockoutEndUtc));
+                    updates.Add(Builders<BsonDocument>.Update.Unset("LockoutEndDateUtc"));
+                }
+
+                // Add ConcurrencyStamp if missing
+                if (!doc.Contains("ConcurrencyStamp") || doc["ConcurrencyStamp"] == BsonNull.Value)
+                {
+                    updates.Add(Builders<BsonDocument>.Update.Set("ConcurrencyStamp", Guid.NewGuid().ToString()));
+                }
+
+                // Add PhoneNumberConfirmed if missing
+                if (!doc.Contains("PhoneNumberConfirmed"))
+                {
+                    updates.Add(Builders<BsonDocument>.Update.Set("PhoneNumberConfirmed", false));
+                }
+
+                // Initialize Tokens array if missing
+                if (!doc.Contains("Tokens"))
+                {
+                    updates.Add(Builders<BsonDocument>.Update.Set("Tokens", new BsonArray()));
+                }
+
+                // Migrate Logins from UserLoginInfo format to IdentityUserLogin format
+                if (doc.Contains("Logins") && doc["Logins"].IsBsonArray)
+                {
+                    var logins = doc["Logins"].AsBsonArray;
+                    var migratedLogins = new BsonArray();
+                    var needsLoginMigration = false;
+
+                    foreach (var login in logins)
+                    {
+                        if (login.IsBsonDocument)
+                        {
+                            var loginDoc = login.AsBsonDocument;
+                            // Check if it's old format (has ProviderKey but no ProviderDisplayName might be missing)
+                            if (!loginDoc.Contains("ProviderDisplayName"))
+                            {
+                                needsLoginMigration = true;
+                                loginDoc["ProviderDisplayName"] = loginDoc.Contains("LoginProvider")
+                                    ? loginDoc["LoginProvider"]
+                                    : BsonNull.Value;
+                            }
+                            migratedLogins.Add(loginDoc);
+                        }
+                    }
+
+                    if (needsLoginMigration)
+                    {
+                        updates.Add(Builders<BsonDocument>.Update.Set("Logins", migratedLogins));
+                    }
+                }
+
+                if (updates.Count > 0)
+                {
+                    var combinedUpdate = Builders<BsonDocument>.Update.Combine(updates);
+                    batch.Add(new UpdateOneModel<BsonDocument>(
+                        Builders<BsonDocument>.Filter.Eq("_id", doc["_id"]),
+                        combinedUpdate));
+                }
+            }, cancellationToken);
+
+            if (batch.Count > 0)
+            {
+                await collection.BulkWriteAsync(batch, cancellationToken: cancellationToken);
+            }
+        }
+
+        private static async Task MigrateRolesAsync(
+            IMongoCollection<BsonDocument> collection,
+            CancellationToken cancellationToken)
+        {
+            // Find all documents that need migration
+            var filter = Builders<BsonDocument>.Filter.Or(
+                Builders<BsonDocument>.Filter.Exists("NormalizedName", false),
+                Builders<BsonDocument>.Filter.Eq("NormalizedName", BsonNull.Value)
+            );
+
+            var cursor = await collection.FindAsync(filter, cancellationToken: cancellationToken);
+            var batch = new List<WriteModel<BsonDocument>>();
+
+            await cursor.ForEachAsync(doc =>
+            {
+                var updates = new List<UpdateDefinition<BsonDocument>>();
+
+                // Normalize Name
+                if (doc.Contains("Name") && doc["Name"] != BsonNull.Value)
+                {
+                    var name = doc["Name"].AsString;
+                    updates.Add(Builders<BsonDocument>.Update.Set("NormalizedName", name.ToUpperInvariant()));
+                }
+
+                // Add ConcurrencyStamp if missing
+                if (!doc.Contains("ConcurrencyStamp") || doc["ConcurrencyStamp"] == BsonNull.Value)
+                {
+                    updates.Add(Builders<BsonDocument>.Update.Set("ConcurrencyStamp", Guid.NewGuid().ToString()));
+                }
+
+                if (updates.Count > 0)
+                {
+                    var combinedUpdate = Builders<BsonDocument>.Update.Combine(updates);
+                    batch.Add(new UpdateOneModel<BsonDocument>(
+                        Builders<BsonDocument>.Filter.Eq("_id", doc["_id"]),
+                        combinedUpdate));
+                }
+            }, cancellationToken);
+
+            if (batch.Count > 0)
+            {
+                await collection.BulkWriteAsync(batch, cancellationToken: cancellationToken);
+            }
+        }
+
+        private static async Task CreateUserIndexesAsync(
+            IMongoCollection<BsonDocument> collection,
+            CancellationToken cancellationToken)
+        {
+            var indexes = new List<CreateIndexModel<BsonDocument>>
+            {
+                // Unique index on NormalizedUserName for fast username lookups
+                // Using partial filter to only index non-null values (allows multiple users without NormalizedUserName during migration)
+                new CreateIndexModel<BsonDocument>(
+                    Builders<BsonDocument>.IndexKeys.Ascending("NormalizedUserName"),
+                    new CreateIndexOptions<BsonDocument>
+                    {
+                        Unique = true,
+                        Name = "IX_NormalizedUserName",
+                        PartialFilterExpression = Builders<BsonDocument>.Filter.And(
+                            Builders<BsonDocument>.Filter.Exists("NormalizedUserName"),
+                            Builders<BsonDocument>.Filter.Type("NormalizedUserName", BsonType.String))
+                    }),
+
+                // Unique index on NormalizedEmail for email lookups
+                new CreateIndexModel<BsonDocument>(
+                    Builders<BsonDocument>.IndexKeys.Ascending("NormalizedEmail"),
+                    new CreateIndexOptions<BsonDocument>
+                    {
+                        Unique = true,
+                        Name = "IX_NormalizedEmail",
+                        PartialFilterExpression = Builders<BsonDocument>.Filter.And(
+                            Builders<BsonDocument>.Filter.Exists("NormalizedEmail"),
+                            Builders<BsonDocument>.Filter.Type("NormalizedEmail", BsonType.String))
+                    }),
+
+                // Compound index on Logins for external login lookups
+                new CreateIndexModel<BsonDocument>(
+                    Builders<BsonDocument>.IndexKeys
+                        .Ascending("Logins.LoginProvider")
+                        .Ascending("Logins.ProviderKey"),
+                    new CreateIndexOptions { Sparse = true, Name = "IX_Logins" }),
+
+                // Index on Roles for GetUsersInRole queries
+                new CreateIndexModel<BsonDocument>(
+                    Builders<BsonDocument>.IndexKeys.Ascending("Roles"),
+                    new CreateIndexOptions { Sparse = true, Name = "IX_Roles" }),
+
+                // Index on Claims for GetUsersForClaim queries
+                new CreateIndexModel<BsonDocument>(
+                    Builders<BsonDocument>.IndexKeys
+                        .Ascending("Claims.ClaimType")
+                        .Ascending("Claims.ClaimValue"),
+                    new CreateIndexOptions { Sparse = true, Name = "IX_Claims" })
+            };
+
+            try
+            {
+                await collection.Indexes.CreateManyAsync(indexes, cancellationToken);
+            }
+            catch (MongoCommandException ex) when (ex.Code == 85 || ex.Code == 86)
+            {
+                // Index already exists with different options - try to create individually
+                foreach (var index in indexes)
+                {
+                    try
+                    {
+                        await collection.Indexes.CreateOneAsync(index, cancellationToken: cancellationToken);
+                    }
+                    catch (MongoCommandException)
+                    {
+                        // Index exists, skip
+                    }
+                }
+            }
+        }
+
+        private static async Task CreateRoleIndexesAsync(
+            IMongoCollection<BsonDocument> collection,
+            CancellationToken cancellationToken)
+        {
+            var indexes = new List<CreateIndexModel<BsonDocument>>
+            {
+                // Unique index on NormalizedName for fast role lookups
+                // Using partial filter to only index non-null values
+                new CreateIndexModel<BsonDocument>(
+                    Builders<BsonDocument>.IndexKeys.Ascending("NormalizedName"),
+                    new CreateIndexOptions<BsonDocument>
+                    {
+                        Unique = true,
+                        Name = "IX_NormalizedName",
+                        PartialFilterExpression = Builders<BsonDocument>.Filter.And(
+                            Builders<BsonDocument>.Filter.Exists("NormalizedName"),
+                            Builders<BsonDocument>.Filter.Type("NormalizedName", BsonType.String))
+                    })
+            };
+
+            try
+            {
+                await collection.Indexes.CreateManyAsync(indexes, cancellationToken);
+            }
+            catch (MongoCommandException ex) when (ex.Code == 85 || ex.Code == 86)
+            {
+                // Index already exists with different options
+                foreach (var index in indexes)
+                {
+                    try
+                    {
+                        await collection.Indexes.CreateOneAsync(index, cancellationToken: cancellationToken);
+                    }
+                    catch (MongoCommandException)
+                    {
+                        // Index exists, skip
+                    }
+                }
+            }
+        }
+
+        /// <summary>
+        /// Forces re-running the migration by clearing the migration markers.
+        /// Use this if you need to re-migrate after schema changes.
+        /// </summary>
+        /// <param name="database">The MongoDB database.</param>
+        /// <param name="cancellationToken">Cancellation token.</param>
+        public static async Task ResetMigrationAsync(
+            IMongoDatabase database,
+            CancellationToken cancellationToken = default)
+        {
+            var migrationCollection = database.GetCollection<BsonDocument>(MigrationCollectionName);
+            await migrationCollection.DeleteManyAsync(
+                Builders<BsonDocument>.Filter.Empty,
+                cancellationToken);
+        }
+    }
+}
diff --git a/MongoDB.AspNet.Identity.csproj b/MongoDB.AspNet.Identity.csproj
index 38b1801..9c9dc81 100644
--- a/MongoDB.AspNet.Identity.csproj
+++ b/MongoDB.AspNet.Identity.csproj
@@ -1,127 +1,51 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="12.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
-  <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
+<Project Sdk="Microsoft.NET.Sdk">
+
   <PropertyGroup>
-    <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
-    <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
-    <ProductVersion>
-    </ProductVersion>
-    <SchemaVersion>2.0</SchemaVersion>
-    <ProjectGuid>{0FF87680-235F-4231-8302-9BF6FCAC7476}</ProjectGuid>
-    <ProjectTypeGuids>{349c5851-65df-11da-9384-00065b846f21};{fae04ec0-301f-11d3-bf4b-00c04f79efbc}</ProjectTypeGuids>
-    <OutputType>Library</OutputType>
-    <AppDesignerFolder>Properties</AppDesignerFolder>
-    <RootNamespace>MongoDB.AspNet.Identity</RootNamespace>
-    <AssemblyName>MongoDB.AspNet.Identity</AssemblyName>
-    <TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
-    <UseIISExpress>true</UseIISExpress>
-    <IISExpressSSLPort />
-    <IISExpressAnonymousAuthentication />
-    <IISExpressWindowsAuthentication />
-    <IISExpressUseClassicPipelineMode />
-    <TargetFrameworkProfile />
-    <UseGlobalApplicationHostFile />
+    <TargetFramework>net8.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+    <GenerateDocumentationFile>true</GenerateDocumentationFile>
+
+    <!-- Package Information -->
+    <PackageId>Rammi.MongoDb.AspNet.Identity</PackageId>
+    <Version>2.0.0</Version>
+    <Authors>Jonathan Sheely, Rammi</Authors>
+    <Company>InspectorIT</Company>
+    <Description>ASP.NET Core Identity provider for MongoDB. Allows you to use MongoDB as the storage for ASP.NET Core Identity.</Description>
+    <PackageTags>aspnet;identity;mongodb;aspnetcore</PackageTags>
+    <PackageLicenseExpression>MIT</PackageLicenseExpression>
+    <RepositoryUrl>https://github.com/rammicz/MongoDB.AspNet.Identity</RepositoryUrl>
+    <RepositoryType>git</RepositoryType>
+
+    <!-- Assembly Information -->
+    <AssemblyTitle>MongoDB.AspNet.Identity</AssemblyTitle>
+    <AssemblyVersion>2.0.0.0</AssemblyVersion>
+    <FileVersion>2.0.0.0</FileVersion>
   </PropertyGroup>
-  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
-    <DebugSymbols>true</DebugSymbols>
-    <DebugType>full</DebugType>
-    <Optimize>false</Optimize>
-    <OutputPath>bin\</OutputPath>
-    <DefineConstants>DEBUG;TRACE</DefineConstants>
-    <ErrorReport>prompt</ErrorReport>
-    <WarningLevel>4</WarningLevel>
-    <DocumentationFile>bin\MongoDB.AspNet.Identity.XML</DocumentationFile>
-  </PropertyGroup>
-  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
-    <DebugType>pdbonly</DebugType>
-    <Optimize>true</Optimize>
-    <OutputPath>bin\</OutputPath>
-    <DefineConstants>TRACE</DefineConstants>
-    <ErrorReport>prompt</ErrorReport>
-    <WarningLevel>4</WarningLevel>
-    <DocumentationFile>bin\MongoDB.AspNet.Identity.XML</DocumentationFile>
-  </PropertyGroup>
-  <ItemGroup>
-    <Reference Include="Microsoft.AspNet.Identity.Core, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
-      <HintPath>packages\Microsoft.AspNet.Identity.Core.2.2.1\lib\net45\Microsoft.AspNet.Identity.Core.dll</HintPath>
-      <Private>True</Private>
-    </Reference>
-    <Reference Include="MongoDB.Bson, Version=2.4.3.23, Culture=neutral, processorArchitecture=MSIL">
-      <HintPath>packages\MongoDB.Bson.2.4.3\lib\net45\MongoDB.Bson.dll</HintPath>
-      <Private>True</Private>
-    </Reference>
-    <Reference Include="MongoDB.Driver, Version=2.4.3.23, Culture=neutral, processorArchitecture=MSIL">
-      <HintPath>packages\MongoDB.Driver.2.4.3\lib\net45\MongoDB.Driver.dll</HintPath>
-      <Private>True</Private>
-    </Reference>
-    <Reference Include="MongoDB.Driver.Core, Version=2.4.3.23, Culture=neutral, processorArchitecture=MSIL">
-      <HintPath>packages\MongoDB.Driver.Core.2.4.3\lib\net45\MongoDB.Driver.Core.dll</HintPath>
-      <Private>True</Private>
-    </Reference>
-    <Reference Include="MongoDB.Driver.Legacy, Version=2.4.3.23, Culture=neutral, processorArchitecture=MSIL">
-      <HintPath>packages\mongocsharpdriver.2.4.3\lib\net45\MongoDB.Driver.Legacy.dll</HintPath>
-      <Private>True</Private>
-    </Reference>
-    <Reference Include="System.ComponentModel.DataAnnotations" />
-    <Reference Include="System" />
-    <Reference Include="System.Data" />
-    <Reference Include="System.Data.DataSetExtensions" />
-    <Reference Include="System.Runtime.InteropServices.RuntimeInformation, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
-      <HintPath>packages\System.Runtime.InteropServices.RuntimeInformation.4.0.0\lib\net45\System.Runtime.InteropServices.RuntimeInformation.dll</HintPath>
-      <Private>True</Private>
-    </Reference>
-    <Reference Include="System.Web.ApplicationServices" />
-    <Reference Include="System.Web.DynamicData" />
-    <Reference Include="System.Web.Entity" />
-    <Reference Include="System.Web.Extensions" />
-    <Reference Include="System.Configuration" />
-    <Reference Include="System.Xml.Linq" />
-  </ItemGroup>
+
   <ItemGroup>
-    <Compile Include="IdentityUser.cs" />
-    <Compile Include="IdentityUserClaim.cs" />
-    <Compile Include="Properties\AssemblyInfo.cs" />
-    <Compile Include="UserStore.cs" />
-    <Compile Include="Utils.cs" />
+    <PackageReference Include="Microsoft.Extensions.Identity.Core" Version="8.0.0" />
+    <PackageReference Include="MongoDB.Driver" Version="2.28.0" />
   </ItemGroup>
+
+  <!-- Exclude TestApplication, nuget, tests, and samples folders from compilation -->
   <ItemGroup>
-    <Content Include="packages.config">
-      <SubType>Designer</SubType>
-    </Content>
+    <Compile Remove="TestApplication\**" />
+    <Content Remove="TestApplication\**" />
+    <EmbeddedResource Remove="TestApplication\**" />
+    <None Remove="TestApplication\**" />
+    <Compile Remove="nuget\**" />
+    <Content Remove="nuget\**" />
+    <EmbeddedResource Remove="nuget\**" />
+    <None Remove="nuget\**" />
+    <Compile Remove="tests\**" />
+    <Content Remove="tests\**" />
+    <EmbeddedResource Remove="tests\**" />
+    <None Remove="tests\**" />
+    <Compile Remove="samples\**" />
+    <Content Remove="samples\**" />
+    <EmbeddedResource Remove="samples\**" />
+    <None Remove="samples\**" />
   </ItemGroup>
-  <ItemGroup>
-    <None Include="Properties\PublishProfiles\MongoDbAspNetIdentity.pubxml" />
-  </ItemGroup>
-  <PropertyGroup>
-    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">10.0</VisualStudioVersion>
-    <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
-  </PropertyGroup>
-  <Import Project="$(MSBuildBinPath)\Microsoft.CSharp.targets" />
-  <Import Project="$(VSToolsPath)\WebApplications\Microsoft.WebApplication.targets" Condition="'$(VSToolsPath)' != ''" />
-  <Import Project="$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v10.0\WebApplications\Microsoft.WebApplication.targets" Condition="false" />
-  <ProjectExtensions>
-    <VisualStudio>
-      <FlavorProperties GUID="{349c5851-65df-11da-9384-00065b846f21}">
-        <WebProjectProperties>
-          <UseIIS>True</UseIIS>
-          <AutoAssignPort>True</AutoAssignPort>
-          <DevelopmentServerPort>50949</DevelopmentServerPort>
-          <DevelopmentServerVPath>/</DevelopmentServerVPath>
-          <IISUrl>http://localhost:50890/</IISUrl>
-          <NTLMAuthentication>False</NTLMAuthentication>
-          <UseCustomServer>False</UseCustomServer>
-          <CustomServerUrl>
-          </CustomServerUrl>
-          <SaveServerSettingsInUserFile>False</SaveServerSettingsInUserFile>
-        </WebProjectProperties>
-      </FlavorProperties>
-    </VisualStudio>
-  </ProjectExtensions>
-  <!-- To modify your build process, add your task inside one of the targets below and uncomment it. 
-       Other similar extension points exist, see Microsoft.Common.targets.
-  <Target Name="BeforeBuild">
-  </Target>
-  <Target Name="AfterBuild">
-  </Target>
-  -->
-</Project>
\ No newline at end of file
+
+</Project>
diff --git a/MongoDB.AspNet.Identity.nuspec b/MongoDB.AspNet.Identity.nuspec
deleted file mode 100644
index c2e3d05..0000000
--- a/MongoDB.AspNet.Identity.nuspec
+++ /dev/null
@@ -1,27 +0,0 @@
-<?xml version="1.0"?>
-<package >
-  <metadata>
-    <id>MongoDB.AspNet.Identity</id>
-    <version>1.0.7</version>
-    <authors>jsheely, sitebro</authors>
-    <owners>Jonathan Sheely</owners>
-    <licenseUrl>https://raw.githubusercontent.com/InspectorIT/MongoDB.AspNet.Identity/master/LICENSE</licenseUrl>
-    <projectUrl>https://github.com/InspectorIT/MongoDB.AspNet.Identity</projectUrl>
-    <iconUrl>https://www.nuget.org/Content/Images/packageDefaultIcon-50x50.png</iconUrl>
-    <requireLicenseAcceptance>true</requireLicenseAcceptance>
-    <description>ASP.NET MVC 5 shipped with a new Identity system (in the Microsoft.AspNet.Identity.Core package) in order to support both local login and remote logins via OpenID/OAuth, but only ships with an Entity Framework provider (Microsoft.AspNet.Identity.EntityFramework).
-MongoDB.AspNet.Identity is a MongoDB backend provider that is a nearly in place replacement for the EF version. This library has been built to work with the mongocsharpdriver compatibility .NET driver provided by the MongoDB team.</description>
-    <releaseNotes>
-     Version 1.0.7
--	Added properties to IdentityUser required by the default UserManager bundled with the default ASP.NET MVC5 template
--	Implemented IUserStore, IUserEmailStore, IUserLockoutStore
-</releaseNotes>
-    <copyright>Copyright 2017</copyright>
-    <tags>mongodb mongocsharpdriver identity mvc5</tags>
-    <dependencies>
-      <dependency id="Microsoft.AspNet.Identity.Core" version="2.2.1" />
-      <dependency id="mongocsharpdriver" version="2.4.3" />
-      <dependency id="System.Runtime.InteropServices.RuntimeInformation" version="4.3.0" />
-    </dependencies>
-  </metadata>
-</package>
\ No newline at end of file
diff --git a/MongoDB.AspNet.Identity.sln b/MongoDB.AspNet.Identity.sln
index 6d66dd8..f33498e 100644
--- a/MongoDB.AspNet.Identity.sln
+++ b/MongoDB.AspNet.Identity.sln
@@ -1,28 +1,42 @@
 
 Microsoft Visual Studio Solution File, Format Version 12.00
-# Visual Studio 14
-VisualStudioVersion = 14.0.25420.1
+# Visual Studio Version 17
+VisualStudioVersion = 17.0.31903.59
 MinimumVisualStudioVersion = 10.0.40219.1
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "MongoDB.AspNet.Identity", "MongoDB.AspNet.Identity.csproj", "{0FF87680-235F-4231-8302-9BF6FCAC7476}"
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "MongoDB.AspNet.Identity", "MongoDB.AspNet.Identity.csproj", "{3E953EAB-8C00-43EE-9C0F-1605EA1BC65F}"
 EndProject
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "TestApplication", "TestApplication\TestApplication.csproj", "{4EF07067-48A5-4303-849A-9D800F482E31}"
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "tests", "tests", "{64A9AD03-6DE1-4DA5-A3F4-F802A2B80BAB}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "MongoDB.AspNet.Identity.Tests", "tests\MongoDB.AspNet.Identity.Tests\MongoDB.AspNet.Identity.Tests.csproj", "{001FC7E2-ADE3-4E11-90B0-81BACE08D399}"
+EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "samples", "samples", "{704F9CA5-3EC4-437A-8092-23BCC4C7D08E}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SampleWebApp", "samples\SampleWebApp\SampleWebApp.csproj", "{F0CCA591-D4FF-441E-8D35-8E399F7FFEC6}"
 EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
 		Release|Any CPU = Release|Any CPU
 	EndGlobalSection
-	GlobalSection(ProjectConfigurationPlatforms) = postSolution
-		{0FF87680-235F-4231-8302-9BF6FCAC7476}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{0FF87680-235F-4231-8302-9BF6FCAC7476}.Debug|Any CPU.Build.0 = Debug|Any CPU
-		{0FF87680-235F-4231-8302-9BF6FCAC7476}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{0FF87680-235F-4231-8302-9BF6FCAC7476}.Release|Any CPU.Build.0 = Release|Any CPU
-		{4EF07067-48A5-4303-849A-9D800F482E31}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{4EF07067-48A5-4303-849A-9D800F482E31}.Debug|Any CPU.Build.0 = Debug|Any CPU
-		{4EF07067-48A5-4303-849A-9D800F482E31}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{4EF07067-48A5-4303-849A-9D800F482E31}.Release|Any CPU.Build.0 = Release|Any CPU
-	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
 	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{3E953EAB-8C00-43EE-9C0F-1605EA1BC65F}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{3E953EAB-8C00-43EE-9C0F-1605EA1BC65F}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{3E953EAB-8C00-43EE-9C0F-1605EA1BC65F}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{3E953EAB-8C00-43EE-9C0F-1605EA1BC65F}.Release|Any CPU.Build.0 = Release|Any CPU
+		{001FC7E2-ADE3-4E11-90B0-81BACE08D399}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{001FC7E2-ADE3-4E11-90B0-81BACE08D399}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{001FC7E2-ADE3-4E11-90B0-81BACE08D399}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{001FC7E2-ADE3-4E11-90B0-81BACE08D399}.Release|Any CPU.Build.0 = Release|Any CPU
+		{F0CCA591-D4FF-441E-8D35-8E399F7FFEC6}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{F0CCA591-D4FF-441E-8D35-8E399F7FFEC6}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{F0CCA591-D4FF-441E-8D35-8E399F7FFEC6}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{F0CCA591-D4FF-441E-8D35-8E399F7FFEC6}.Release|Any CPU.Build.0 = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(NestedProjects) = preSolution
+		{001FC7E2-ADE3-4E11-90B0-81BACE08D399} = {64A9AD03-6DE1-4DA5-A3F4-F802A2B80BAB}
+		{F0CCA591-D4FF-441E-8D35-8E399F7FFEC6} = {704F9CA5-3EC4-437A-8092-23BCC4C7D08E}
+	EndGlobalSection
 EndGlobal
diff --git a/Properties/AssemblyInfo.cs b/Properties/AssemblyInfo.cs
deleted file mode 100644
index a1608b7..0000000
--- a/Properties/AssemblyInfo.cs
+++ /dev/null
@@ -1,35 +0,0 @@
-using System.Reflection;
-using System.Runtime.CompilerServices;
-using System.Runtime.InteropServices;
-
-// General Information about an assembly is controlled through the following 
-// set of attributes. Change these attribute values to modify the information
-// associated with an assembly.
-[assembly: AssemblyTitle("MongoDB.AspNet.Identity")]
-[assembly: AssemblyDescription("")]
-[assembly: AssemblyConfiguration("")]
-[assembly: AssemblyCompany("InspectorIT by Jonathan Sheely")]
-[assembly: AssemblyProduct("MongoDB.AspNet.Identity")]
-[assembly: AssemblyCopyright("Copyright ©  2017")]
-[assembly: AssemblyTrademark("")]
-[assembly: AssemblyCulture("")]
-
-// Setting ComVisible to false makes the types in this assembly not visible 
-// to COM components.  If you need to access a type in this assembly from 
-// COM, set the ComVisible attribute to true on that type.
-[assembly: ComVisible(false)]
-
-// The following GUID is for the ID of the typelib if this project is exposed to COM
-[assembly: Guid("9e1632ab-d097-465f-a9a6-9285d24d008a")]
-
-// Version information for an assembly consists of the following four values:
-//
-//      Major Version
-//      Minor Version 
-//      Build Number
-//      Revision
-//
-// You can specify all the values or you can default the Revision and Build Numbers 
-// by using the '*' as shown below:
-[assembly: AssemblyVersion("1.0.7.0")]
-[assembly: AssemblyFileVersion("1.0.7.0")]
diff --git a/RoleStore.cs b/RoleStore.cs
new file mode 100644
index 0000000..9be3d6c
--- /dev/null
+++ b/RoleStore.cs
@@ -0,0 +1,186 @@
+using Microsoft.AspNetCore.Identity;
+using MongoDB.Bson;
+using MongoDB.Driver;
+
+namespace MongoDB.AspNet.Identity
+{
+    /// <summary>
+    /// Represents a new instance of a persistence store for roles, using MongoDB.
+    /// </summary>
+    public class RoleStore : IRoleStore<IdentityRole>, IQueryableRoleStore<IdentityRole>
+    {
+        private readonly IMongoDatabase _database;
+        private bool _disposed;
+        private bool _migrationEnsured;
+        private readonly SemaphoreSlim _migrationLock = new(1, 1);
+
+        private const string CollectionName = "AspNetRoles";
+
+        private IMongoCollection<IdentityRole> RolesCollection => _database.GetCollection<IdentityRole>(CollectionName);
+
+        /// <summary>
+        /// Gets an <see cref="IQueryable{IdentityRole}"/> of roles.
+        /// </summary>
+        public IQueryable<IdentityRole> Roles => RolesCollection.AsQueryable();
+
+        /// <summary>
+        /// Initializes a new instance of <see cref="RoleStore"/> using the specified MongoDB database.
+        /// </summary>
+        /// <param name="database">The MongoDB database to use.</param>
+        public RoleStore(IMongoDatabase database)
+        {
+            _database = database ?? throw new ArgumentNullException(nameof(database));
+        }
+
+        #region Migration
+
+        private async Task EnsureMigrationAsync(CancellationToken cancellationToken)
+        {
+            if (_migrationEnsured) return;
+
+            await _migrationLock.WaitAsync(cancellationToken);
+            try
+            {
+                if (_migrationEnsured) return;
+
+                await MigrationHelper.EnsureRolesMigratedAsync(_database, CollectionName, cancellationToken);
+                _migrationEnsured = true;
+            }
+            finally
+            {
+                _migrationLock.Release();
+            }
+        }
+
+        #endregion
+
+        /// <inheritdoc/>
+        public async Task<IdentityResult> CreateAsync(IdentityRole role, CancellationToken cancellationToken = default)
+        {
+            cancellationToken.ThrowIfCancellationRequested();
+            ThrowIfDisposed();
+            ArgumentNullException.ThrowIfNull(role);
+
+            await EnsureMigrationAsync(cancellationToken);
+            await RolesCollection.InsertOneAsync(role, cancellationToken: cancellationToken);
+            return IdentityResult.Success;
+        }
+
+        /// <inheritdoc/>
+        public async Task<IdentityResult> DeleteAsync(IdentityRole role, CancellationToken cancellationToken = default)
+        {
+            cancellationToken.ThrowIfCancellationRequested();
+            ThrowIfDisposed();
+            ArgumentNullException.ThrowIfNull(role);
+
+            await RolesCollection.DeleteOneAsync(
+                Builders<IdentityRole>.Filter.Eq(r => r.Id, role.Id),
+                cancellationToken);
+            return IdentityResult.Success;
+        }
+
+        /// <inheritdoc/>
+        public async Task<IdentityRole?> FindByIdAsync(string roleId, CancellationToken cancellationToken = default)
+        {
+            cancellationToken.ThrowIfCancellationRequested();
+            ThrowIfDisposed();
+
+            await EnsureMigrationAsync(cancellationToken);
+            return await RolesCollection
+                .Find(Builders<IdentityRole>.Filter.Eq(r => r.Id, roleId))
+                .FirstOrDefaultAsync(cancellationToken);
+        }
+
+        /// <inheritdoc/>
+        public async Task<IdentityRole?> FindByNameAsync(string normalizedRoleName, CancellationToken cancellationToken = default)
+        {
+            cancellationToken.ThrowIfCancellationRequested();
+            ThrowIfDisposed();
+
+            await EnsureMigrationAsync(cancellationToken);
+            return await RolesCollection
+                .Find(Builders<IdentityRole>.Filter.Eq(r => r.NormalizedName, normalizedRoleName))
+                .FirstOrDefaultAsync(cancellationToken);
+        }
+
+        /// <inheritdoc/>
+        public Task<string?> GetNormalizedRoleNameAsync(IdentityRole role, CancellationToken cancellationToken = default)
+        {
+            cancellationToken.ThrowIfCancellationRequested();
+            ThrowIfDisposed();
+            ArgumentNullException.ThrowIfNull(role);
+
+            return Task.FromResult(role.NormalizedName);
+        }
+
+        /// <inheritdoc/>
+        public Task<string> GetRoleIdAsync(IdentityRole role, CancellationToken cancellationToken = default)
+        {
+            cancellationToken.ThrowIfCancellationRequested();
+            ThrowIfDisposed();
+            ArgumentNullException.ThrowIfNull(role);
+
+            return Task.FromResult(role.Id);
+        }
+
+        /// <inheritdoc/>
+        public Task<string?> GetRoleNameAsync(IdentityRole role, CancellationToken cancellationToken = default)
+        {
+            cancellationToken.ThrowIfCancellationRequested();
+            ThrowIfDisposed();
+            ArgumentNullException.ThrowIfNull(role);
+
+            return Task.FromResult(role.Name);
+        }
+
+        /// <inheritdoc/>
+        public Task SetNormalizedRoleNameAsync(IdentityRole role, string? normalizedName, CancellationToken cancellationToken = default)
+        {
+            cancellationToken.ThrowIfCancellationRequested();
+            ThrowIfDisposed();
+            ArgumentNullException.ThrowIfNull(role);
+
+            role.NormalizedName = normalizedName;
+            return Task.CompletedTask;
+        }
+
+        /// <inheritdoc/>
+        public Task SetRoleNameAsync(IdentityRole role, string? roleName, CancellationToken cancellationToken = default)
+        {
+            cancellationToken.ThrowIfCancellationRequested();
+            ThrowIfDisposed();
+            ArgumentNullException.ThrowIfNull(role);
+
+            role.Name = roleName;
+            return Task.CompletedTask;
+        }
+
+        /// <inheritdoc/>
+        public async Task<IdentityResult> UpdateAsync(IdentityRole role, CancellationToken cancellationToken = default)
+        {
+            cancellationToken.ThrowIfCancellationRequested();
+            ThrowIfDisposed();
+            ArgumentNullException.ThrowIfNull(role);
+
+            await RolesCollection.ReplaceOneAsync(
+                Builders<IdentityRole>.Filter.Eq(r => r.Id, role.Id),
+                role,
+                new ReplaceOptions { IsUpsert = false },
+                cancellationToken);
+
+            return IdentityResult.Success;
+        }
+
+        /// <inheritdoc/>
+        public void Dispose()
+        {
+            _disposed = true;
+            GC.SuppressFinalize(this);
+        }
+
+        protected void ThrowIfDisposed()
+        {
+            ObjectDisposedException.ThrowIf(_disposed, this);
+        }
+    }
+}
diff --git a/UserStore.cs b/UserStore.cs
index 94fee2d..f07ca96 100644
--- a/UserStore.cs
+++ b/UserStore.cs
@@ -1,719 +1,808 @@
-using System;
-using System.Collections.Generic;
-using System.Configuration;
-using System.Linq;
 using System.Security.Claims;
-using System.Threading.Tasks;
-using Microsoft.AspNet.Identity;
+using Microsoft.AspNetCore.Identity;
 using MongoDB.Bson;
 using MongoDB.Driver;
 
 namespace MongoDB.AspNet.Identity
 {
     /// <summary>
-    ///     Class UserStore.
+    /// Represents a new instance of a persistence store for users, using MongoDB.
     /// </summary>
-    /// <typeparam name="TUser">The type of the t user.</typeparam>
+    /// <typeparam name="TUser">The type representing a user.</typeparam>
     public class UserStore<TUser> :
         IUserStore<TUser>,
-        IUserLoginStore<TUser>, 
-        IUserClaimStore<TUser>, 
+        IUserLoginStore<TUser>,
+        IUserClaimStore<TUser>,
         IUserRoleStore<TUser>,
-        IUserPasswordStore<TUser>, 
+        IUserPasswordStore<TUser>,
         IUserSecurityStampStore<TUser>,
         IUserEmailStore<TUser>,
-        IUserLockoutStore<TUser, string>,
-        IUserTwoFactorStore<TUser, string>
+        IUserLockoutStore<TUser>,
+        IUserTwoFactorStore<TUser>,
+        IUserPhoneNumberStore<TUser>,
+        IUserAuthenticationTokenStore<TUser>,
+        IQueryableUserStore<TUser>
         where TUser : IdentityUser
     {
-        #region Private Methods & Variables
+        private readonly IMongoDatabase _database;
+        private bool _disposed;
+        private bool _migrationEnsured;
+        private readonly SemaphoreSlim _migrationLock = new(1, 1);
 
         /// <summary>
-        ///     The database
+        /// The default collection name for users.
         /// </summary>
-        private readonly IMongoDatabase db;
+        private const string CollectionName = "AspNetUsers";
 
         /// <summary>
-        ///     The _disposed
+        /// Gets the users collection.
         /// </summary>
-        private bool _disposed;
+        private IMongoCollection<TUser> UsersCollection => _database.GetCollection<TUser>(CollectionName);
 
         /// <summary>
-        /// The AspNetUsers collection name
+        /// Gets an <see cref="IQueryable{TUser}"/> of users.
         /// </summary>
-        private const string collectionName = "AspNetUsers";
+        public IQueryable<TUser> Users => UsersCollection.AsQueryable();
 
         /// <summary>
-        ///     Gets the database from connection string.
+        /// Initializes a new instance of <see cref="UserStore{TUser}"/> using the specified MongoDB connection string.
         /// </summary>
-        /// <param name="connectionString">The connection string.</param>
-        /// <returns>MongoDatabase.</returns>
-        /// <exception cref="System.Exception">No database name specified in connection string</exception>
-        private IMongoDatabase GetDatabaseFromSqlStyle(string connectionString)
+        /// <param name="connectionString">The MongoDB connection string (must include database name).</param>
+        public UserStore(string connectionString)
         {
             var mongoUrl = new MongoUrl(connectionString);
-            MongoClientSettings settings = MongoClientSettings.FromUrl(mongoUrl);
-            IMongoClient client = new MongoClient(settings);
-            if (mongoUrl.DatabaseName == null)
+            if (string.IsNullOrEmpty(mongoUrl.DatabaseName))
             {
-                throw new Exception("No database name specified in connection string");
+                throw new ArgumentException("The connection string must include a database name.", nameof(connectionString));
             }
-            return client.GetDatabase(mongoUrl.DatabaseName);
-        }
 
-        /// <summary>
-        ///     Gets the database from URL.
-        /// </summary>
-        /// <param name="url">The URL.</param>
-        /// <returns>MongoDatabase.</returns>
-        private IMongoDatabase GetDatabaseFromUrl(MongoUrl url)
-        {
-            IMongoClient client = new MongoClient(url);
-            if (url.DatabaseName == null)
-            {
-                throw new Exception("No database name specified in connection string");
-            }
-            return client.GetDatabase(url.DatabaseName); // WriteConcern defaulted to Acknowledged
+            var client = new MongoClient(mongoUrl);
+            _database = client.GetDatabase(mongoUrl.DatabaseName);
         }
 
         /// <summary>
-        ///     Uses connectionString to connect to server and then uses databae name specified.
+        /// Initializes a new instance of <see cref="UserStore{TUser}"/> using the specified MongoDB connection string and database name.
         /// </summary>
-        /// <param name="connectionString">The connection string.</param>
-        /// <param name="dbName">Name of the database.</param>
-        /// <returns>MongoDatabase.</returns>
-        private IMongoDatabase GetDatabase(string connectionString, string dbName)
+        /// <param name="connectionString">The MongoDB connection string.</param>
+        /// <param name="databaseName">The name of the database.</param>
+        public UserStore(string connectionString, string databaseName)
         {
             var client = new MongoClient(connectionString);
-            return client.GetDatabase(dbName);
+            _database = client.GetDatabase(databaseName);
         }
 
-        #endregion
-
-        #region Constructors
-        
         /// <summary>
-        ///     Initializes a new instance of the <see cref="UserStore{TUser}" /> class. Uses DefaultConnection name if none was
-        ///     specified.
+        /// Initializes a new instance of <see cref="UserStore{TUser}"/> using an existing MongoDB database.
         /// </summary>
-        public UserStore() 
-            : this("DefaultConnection")
+        /// <param name="database">The MongoDB database to use.</param>
+        public UserStore(IMongoDatabase database)
         {
+            _database = database ?? throw new ArgumentNullException(nameof(database));
         }
 
+        #region Migration
+
         /// <summary>
-        ///     Initializes a new instance of the <see cref="UserStore{TUser}" /> class. Uses name from ConfigurationManager or a
-        ///     mongodb:// Url.
+        /// Ensures migration has been run. This is called automatically on first database access.
         /// </summary>
-        /// <param name="connectionNameOrUrl">The connection name or URL.</param>
-        public UserStore(string connectionNameOrUrl)
+        private async Task EnsureMigrationAsync(CancellationToken cancellationToken)
         {
-            if (connectionNameOrUrl.ToLower().StartsWith("mongodb://"))
+            if (_migrationEnsured) return;
+
+            await _migrationLock.WaitAsync(cancellationToken);
+            try
             {
-                db = GetDatabaseFromUrl(new MongoUrl(connectionNameOrUrl));
+                if (_migrationEnsured) return;
+
+                await MigrationHelper.EnsureUsersMigratedAsync<TUser>(_database, CollectionName, cancellationToken);
+                _migrationEnsured = true;
             }
-            else
+            finally
             {
-                string connStringFromManager =
-                    ConfigurationManager.ConnectionStrings[connectionNameOrUrl].ConnectionString;
-                db = connStringFromManager.ToLower().StartsWith("mongodb://") 
-                    ? GetDatabaseFromUrl(new MongoUrl(connStringFromManager)) 
-                    : GetDatabaseFromSqlStyle(connStringFromManager);
+                _migrationLock.Release();
             }
         }
 
-        /// <summary>
-        ///     Initializes a new instance of the <see cref="UserStore{TUser}" /> class. Uses name from ConfigurationManager or a
-        ///     mongodb:// Url.
-        ///     Database can be specified separately from connection server.
-        /// </summary>
-        /// <param name="connectionNameOrUrl">The connection name or URL.</param>
-        /// <param name="dbName">Name of the database.</param>
-        public UserStore(string connectionNameOrUrl, string dbName)
+        #endregion
+
+        #region IUserStore
+
+        /// <inheritdoc/>
+        public async Task<IdentityResult> CreateAsync(TUser user, CancellationToken cancellationToken = default)
         {
-            if (connectionNameOrUrl.ToLower().StartsWith("mongodb://"))
-            {
-                db = GetDatabase(connectionNameOrUrl, dbName);
-            }
-            else
+            cancellationToken.ThrowIfCancellationRequested();
+            ThrowIfDisposed();
+            ArgumentNullException.ThrowIfNull(user);
+
+            await EnsureMigrationAsync(cancellationToken);
+            await UsersCollection.InsertOneAsync(user, cancellationToken: cancellationToken);
+            return IdentityResult.Success;
+        }
+
+        /// <inheritdoc/>
+        public async Task<IdentityResult> DeleteAsync(TUser user, CancellationToken cancellationToken = default)
+        {
+            cancellationToken.ThrowIfCancellationRequested();
+            ThrowIfDisposed();
+            ArgumentNullException.ThrowIfNull(user);
+
+            await UsersCollection.DeleteOneAsync(
+                Builders<TUser>.Filter.Eq("_id", ObjectId.Parse(user.Id)),
+                cancellationToken);
+            return IdentityResult.Success;
+        }
+
+        /// <inheritdoc/>
+        public async Task<TUser?> FindByIdAsync(string userId, CancellationToken cancellationToken = default)
+        {
+            cancellationToken.ThrowIfCancellationRequested();
+            ThrowIfDisposed();
+
+            if (!ObjectId.TryParse(userId, out var objectId))
             {
-                db = GetDatabase(ConfigurationManager.ConnectionStrings[connectionNameOrUrl].ConnectionString, dbName);
+                return null;
             }
+
+            await EnsureMigrationAsync(cancellationToken);
+            return await UsersCollection
+                .Find(Builders<TUser>.Filter.Eq("_id", objectId))
+                .FirstOrDefaultAsync(cancellationToken);
         }
 
-        /// <summary>
-        /// Initializes a new instance of the <see cref="UserStore{TUser}"/> class using a already initialized Mongo Database.
-        /// </summary>
-        /// <param name="mongoDatabase">The mongo database.</param>
-        public UserStore(IMongoDatabase mongoDatabase)
+        /// <inheritdoc/>
+        public async Task<TUser?> FindByNameAsync(string normalizedUserName, CancellationToken cancellationToken = default)
         {
-            db = mongoDatabase;
+            cancellationToken.ThrowIfCancellationRequested();
+            ThrowIfDisposed();
+
+            await EnsureMigrationAsync(cancellationToken);
+            return await UsersCollection
+                .Find(Builders<TUser>.Filter.Eq(u => u.NormalizedUserName, normalizedUserName))
+                .FirstOrDefaultAsync(cancellationToken);
+        }
+
+        /// <inheritdoc/>
+        public Task<string?> GetNormalizedUserNameAsync(TUser user, CancellationToken cancellationToken = default)
+        {
+            cancellationToken.ThrowIfCancellationRequested();
+            ThrowIfDisposed();
+            ArgumentNullException.ThrowIfNull(user);
+
+            return Task.FromResult(user.NormalizedUserName);
+        }
+
+        /// <inheritdoc/>
+        public Task<string> GetUserIdAsync(TUser user, CancellationToken cancellationToken = default)
+        {
+            cancellationToken.ThrowIfCancellationRequested();
+            ThrowIfDisposed();
+            ArgumentNullException.ThrowIfNull(user);
+
+            return Task.FromResult(user.Id);
+        }
+
+        /// <inheritdoc/>
+        public Task<string?> GetUserNameAsync(TUser user, CancellationToken cancellationToken = default)
+        {
+            cancellationToken.ThrowIfCancellationRequested();
+            ThrowIfDisposed();
+            ArgumentNullException.ThrowIfNull(user);
+
+            return Task.FromResult(user.UserName);
+        }
+
+        /// <inheritdoc/>
+        public Task SetNormalizedUserNameAsync(TUser user, string? normalizedName, CancellationToken cancellationToken = default)
+        {
+            cancellationToken.ThrowIfCancellationRequested();
+            ThrowIfDisposed();
+            ArgumentNullException.ThrowIfNull(user);
+
+            user.NormalizedUserName = normalizedName;
+            return Task.CompletedTask;
+        }
+
+        /// <inheritdoc/>
+        public Task SetUserNameAsync(TUser user, string? userName, CancellationToken cancellationToken = default)
+        {
+            cancellationToken.ThrowIfCancellationRequested();
+            ThrowIfDisposed();
+            ArgumentNullException.ThrowIfNull(user);
+
+            user.UserName = userName;
+            return Task.CompletedTask;
+        }
+
+        /// <inheritdoc/>
+        public async Task<IdentityResult> UpdateAsync(TUser user, CancellationToken cancellationToken = default)
+        {
+            cancellationToken.ThrowIfCancellationRequested();
+            ThrowIfDisposed();
+            ArgumentNullException.ThrowIfNull(user);
+
+            user.ConcurrencyStamp = Guid.NewGuid().ToString();
+
+            await UsersCollection.ReplaceOneAsync(
+                Builders<TUser>.Filter.Eq("_id", ObjectId.Parse(user.Id)),
+                user,
+                new ReplaceOptions { IsUpsert = false },
+                cancellationToken);
+
+            return IdentityResult.Success;
         }
 
         #endregion
 
-        #region Methods
+        #region IUserLoginStore
 
-        /// <summary>
-        ///     Adds the claim asynchronous.
-        /// </summary>
-        /// <param name="user">The user.</param>
-        /// <param name="claim">The claim.</param>
-        /// <returns>Task.</returns>
-        /// <exception cref="System.ArgumentNullException">user</exception>
-        public Task AddClaimAsync(TUser user, Claim claim)
+        /// <inheritdoc/>
+        public Task AddLoginAsync(TUser user, UserLoginInfo login, CancellationToken cancellationToken = default)
         {
+            cancellationToken.ThrowIfCancellationRequested();
             ThrowIfDisposed();
-            if (user == null)
-                throw new ArgumentNullException("user");
+            ArgumentNullException.ThrowIfNull(user);
+            ArgumentNullException.ThrowIfNull(login);
 
-            if (!user.Claims.Any(x => x.ClaimType == claim.Type && x.ClaimValue == claim.Value))
+            if (!user.Logins.Any(x => x.LoginProvider == login.LoginProvider && x.ProviderKey == login.ProviderKey))
             {
-                user.Claims.Add(new IdentityUserClaim
+                user.Logins.Add(new IdentityUserLogin
                 {
-                    ClaimType = claim.Type,
-                    ClaimValue = claim.Value
+                    LoginProvider = login.LoginProvider,
+                    ProviderKey = login.ProviderKey,
+                    ProviderDisplayName = login.ProviderDisplayName
                 });
             }
-            return Task.FromResult(0);
+
+            return Task.CompletedTask;
         }
 
-        /// <summary>
-        ///     Gets the claims asynchronous.
-        /// </summary>
-        /// <param name="user">The user.</param>
-        /// <returns>Task{IList{Claim}}.</returns>
-        /// <exception cref="System.ArgumentNullException">user</exception>
-        public Task<IList<Claim>> GetClaimsAsync(TUser user)
+        /// <inheritdoc/>
+        public async Task<TUser?> FindByLoginAsync(string loginProvider, string providerKey, CancellationToken cancellationToken = default)
         {
+            cancellationToken.ThrowIfCancellationRequested();
             ThrowIfDisposed();
-            if (user == null)
-                throw new ArgumentNullException("user");
 
-            IList<Claim> result = user.Claims.Select(c => new Claim(c.ClaimType, c.ClaimValue)).ToList();
-            return Task.FromResult(result);
+            await EnsureMigrationAsync(cancellationToken);
+            var filter = Builders<TUser>.Filter.And(
+                Builders<TUser>.Filter.Eq("Logins.LoginProvider", loginProvider),
+                Builders<TUser>.Filter.Eq("Logins.ProviderKey", providerKey));
+
+            return await UsersCollection.Find(filter).FirstOrDefaultAsync(cancellationToken);
         }
 
-        /// <summary>
-        ///     Removes the claim asynchronous.
-        /// </summary>
-        /// <param name="user">The user.</param>
-        /// <param name="claim">The claim.</param>
-        /// <returns>Task.</returns>
-        /// <exception cref="System.ArgumentNullException">user</exception>
-        public Task RemoveClaimAsync(TUser user, Claim claim)
+        /// <inheritdoc/>
+        public Task<IList<UserLoginInfo>> GetLoginsAsync(TUser user, CancellationToken cancellationToken = default)
         {
+            cancellationToken.ThrowIfCancellationRequested();
             ThrowIfDisposed();
-            if (user == null)
-                throw new ArgumentNullException("user");
+            ArgumentNullException.ThrowIfNull(user);
 
-            user.Claims.RemoveAll(x => x.ClaimType == claim.Type && x.ClaimValue == claim.Value);
-            return Task.FromResult(0);
-        }
+            IList<UserLoginInfo> logins = user.Logins
+                .Select(l => new UserLoginInfo(l.LoginProvider, l.ProviderKey, l.ProviderDisplayName))
+                .ToList();
 
+            return Task.FromResult(logins);
+        }
 
-        /// <summary>
-        ///     Creates the user asynchronous.
-        /// </summary>
-        /// <param name="user">The user.</param>
-        /// <returns>Task.</returns>
-        /// <exception cref="System.ArgumentNullException">user</exception>
-        public Task CreateAsync(TUser user)
+        /// <inheritdoc/>
+        public Task RemoveLoginAsync(TUser user, string loginProvider, string providerKey, CancellationToken cancellationToken = default)
         {
+            cancellationToken.ThrowIfCancellationRequested();
             ThrowIfDisposed();
-            if (user == null)
-                throw new ArgumentNullException("user");
+            ArgumentNullException.ThrowIfNull(user);
 
-            db.GetCollection<TUser>(collectionName).InsertOneAsync(user);
-            return Task.FromResult(user);
+            user.Logins.RemoveAll(x => x.LoginProvider == loginProvider && x.ProviderKey == providerKey);
+            return Task.CompletedTask;
         }
 
-        /// <summary>
-        ///     Deletes the user asynchronous.
-        /// </summary>
-        /// <param name="user">The user.</param>
-        /// <returns>Task.</returns>
-        /// <exception cref="System.ArgumentNullException">user</exception>
-        public Task DeleteAsync(TUser user)
+        #endregion
+
+        #region IUserClaimStore
+
+        /// <inheritdoc/>
+        public Task AddClaimsAsync(TUser user, IEnumerable<Claim> claims, CancellationToken cancellationToken = default)
         {
+            cancellationToken.ThrowIfCancellationRequested();
             ThrowIfDisposed();
-            if (user == null)
-                throw new ArgumentNullException("user");
+            ArgumentNullException.ThrowIfNull(user);
+            ArgumentNullException.ThrowIfNull(claims);
+
+            foreach (var claim in claims)
+            {
+                if (!user.Claims.Any(x => x.ClaimType == claim.Type && x.ClaimValue == claim.Value))
+                {
+                    var identityClaim = new IdentityUserClaim();
+                    identityClaim.InitializeFromClaim(claim);
+                    user.Claims.Add(identityClaim);
+                }
+            }
 
-            db.GetCollection<TUser>(collectionName)
-                .DeleteOneAsync(Builders<TUser>.Filter.Eq("_id", ObjectId.Parse(user.Id)));
-            return Task.FromResult(true);
+            return Task.CompletedTask;
         }
 
-        /// <summary>
-        ///     Finds the by identifier asynchronous.
-        /// </summary>
-        /// <param name="userId">The user identifier.</param>
-        /// <returns>Task{`0}.</returns>
-        public Task<TUser> FindByIdAsync(string userId)
+        /// <inheritdoc/>
+        public Task<IList<Claim>> GetClaimsAsync(TUser user, CancellationToken cancellationToken = default)
         {
+            cancellationToken.ThrowIfCancellationRequested();
             ThrowIfDisposed();
-            var user = db.GetCollection<TUser>(collectionName)
-                .Find(Builders<TUser>.Filter.Eq("_id", ObjectId.Parse(userId)))
-                .FirstOrDefaultAsync();
-            return user;
+            ArgumentNullException.ThrowIfNull(user);
+
+            IList<Claim> claims = user.Claims.Select(c => c.ToClaim()).ToList();
+            return Task.FromResult(claims);
         }
 
-        /// <summary>
-        ///     Finds the by name asynchronous.
-        /// </summary>
-        /// <param name="userName">Name of the user.</param>
-        /// <returns>Task{`0}.</returns>
-        public Task<TUser> FindByNameAsync(string userName)
+        /// <inheritdoc/>
+        public async Task<IList<TUser>> GetUsersForClaimAsync(Claim claim, CancellationToken cancellationToken = default)
         {
+            cancellationToken.ThrowIfCancellationRequested();
             ThrowIfDisposed();
-            var user = db.GetCollection<TUser>(collectionName)
-                .Find(Builders<TUser>.Filter.Eq("UserName", userName))
-                .FirstOrDefaultAsync();
-            return user;
+            ArgumentNullException.ThrowIfNull(claim);
+
+            await EnsureMigrationAsync(cancellationToken);
+            var filter = Builders<TUser>.Filter.And(
+                Builders<TUser>.Filter.Eq("Claims.ClaimType", claim.Type),
+                Builders<TUser>.Filter.Eq("Claims.ClaimValue", claim.Value));
+
+            return await UsersCollection.Find(filter).ToListAsync(cancellationToken);
         }
 
-        /// <summary>
-        ///     Updates the user asynchronous.
-        /// </summary>
-        /// <param name="user">The user.</param>
-        /// <returns>Task.</returns>
-        /// <exception cref="System.ArgumentNullException">user</exception>
-        public Task UpdateAsync(TUser user)
+        /// <inheritdoc/>
+        public Task RemoveClaimsAsync(TUser user, IEnumerable<Claim> claims, CancellationToken cancellationToken = default)
         {
+            cancellationToken.ThrowIfCancellationRequested();
             ThrowIfDisposed();
-            if (user == null)
-                throw new ArgumentNullException("user");
+            ArgumentNullException.ThrowIfNull(user);
+            ArgumentNullException.ThrowIfNull(claims);
 
-            db.GetCollection<TUser>(collectionName)
-                .FindOneAndReplaceAsync(
-                Builders<TUser>.Filter.Eq("_id", ObjectId.Parse(user.Id)), 
-                user, 
-                new FindOneAndReplaceOptions<TUser> {IsUpsert = true});
+            foreach (var claim in claims)
+            {
+                user.Claims.RemoveAll(x => x.ClaimType == claim.Type && x.ClaimValue == claim.Value);
+            }
 
-            return Task.FromResult(user);
+            return Task.CompletedTask;
         }
 
-        /// <summary>
-        ///     Performs application-defined tasks associated with freeing, releasing, or resetting unmanaged resources.
-        /// </summary>
-        public void Dispose()
+        /// <inheritdoc/>
+        public Task ReplaceClaimAsync(TUser user, Claim claim, Claim newClaim, CancellationToken cancellationToken = default)
         {
-            _disposed = true;
+            cancellationToken.ThrowIfCancellationRequested();
+            ThrowIfDisposed();
+            ArgumentNullException.ThrowIfNull(user);
+            ArgumentNullException.ThrowIfNull(claim);
+            ArgumentNullException.ThrowIfNull(newClaim);
+
+            var existingClaim = user.Claims.FirstOrDefault(x => x.ClaimType == claim.Type && x.ClaimValue == claim.Value);
+            if (existingClaim != null)
+            {
+                existingClaim.InitializeFromClaim(newClaim);
+            }
+
+            return Task.CompletedTask;
         }
 
-        /// <summary>
-        ///     Adds the login asynchronous.
-        /// </summary>
-        /// <param name="user">The user.</param>
-        /// <param name="login">The login.</param>
-        /// <returns>Task.</returns>
-        /// <exception cref="System.ArgumentNullException">user</exception>
-        public Task AddLoginAsync(TUser user, UserLoginInfo login)
+        #endregion
+
+        #region IUserRoleStore
+
+        /// <inheritdoc/>
+        public Task AddToRoleAsync(TUser user, string roleName, CancellationToken cancellationToken = default)
         {
+            cancellationToken.ThrowIfCancellationRequested();
             ThrowIfDisposed();
-            if (user == null)
-                throw new ArgumentNullException("user");
+            ArgumentNullException.ThrowIfNull(user);
+            ArgumentException.ThrowIfNullOrWhiteSpace(roleName);
 
-            if (!user.Logins.Any(x => x.LoginProvider == login.LoginProvider && x.ProviderKey == login.ProviderKey))
+            if (!user.Roles.Contains(roleName, StringComparer.OrdinalIgnoreCase))
             {
-                user.Logins.Add(login);
+                user.Roles.Add(roleName);
             }
-            return Task.FromResult(true);
+
+            return Task.CompletedTask;
         }
 
-        /// <summary>
-        ///     Finds the user asynchronous.
-        /// </summary>
-        /// <param name="login">The login.</param>
-        /// <returns>Task{`0}.</returns>
-        public Task<TUser> FindAsync(UserLoginInfo login)
+        /// <inheritdoc/>
+        public Task<IList<string>> GetRolesAsync(TUser user, CancellationToken cancellationToken = default)
         {
-            var filter = Builders<TUser>.Filter;
-            var user = db.GetCollection<TUser>(collectionName)
-                .Find(filter.And(filter.Eq("Logins.LoginProvider", login.LoginProvider),
-                    filter.Eq("Logins.ProviderKey", login.ProviderKey))).FirstOrDefaultAsync();
-            return user;
+            cancellationToken.ThrowIfCancellationRequested();
+            ThrowIfDisposed();
+            ArgumentNullException.ThrowIfNull(user);
+
+            return Task.FromResult<IList<string>>(user.Roles.ToList());
         }
 
-        /// <summary>
-        ///     Gets the logins asynchronous.
-        /// </summary>
-        /// <param name="user">The user.</param>
-        /// <returns>Task{IList{UserLoginInfo}}.</returns>
-        /// <exception cref="System.ArgumentNullException">user</exception>
-        public Task<IList<UserLoginInfo>> GetLoginsAsync(TUser user)
+        /// <inheritdoc/>
+        public async Task<IList<TUser>> GetUsersInRoleAsync(string roleName, CancellationToken cancellationToken = default)
         {
+            cancellationToken.ThrowIfCancellationRequested();
             ThrowIfDisposed();
-            if (user == null)
-                throw new ArgumentNullException("user");
-            return Task.FromResult(user.Logins.ToIList());
+            ArgumentException.ThrowIfNullOrWhiteSpace(roleName);
+
+            await EnsureMigrationAsync(cancellationToken);
+            var filter = Builders<TUser>.Filter.AnyEq(u => u.Roles, roleName);
+            return await UsersCollection.Find(filter).ToListAsync(cancellationToken);
         }
 
-        /// <summary>
-        ///     Removes the login asynchronous.
-        /// </summary>
-        /// <param name="user">The user.</param>
-        /// <param name="login">The login.</param>
-        /// <returns>Task.</returns>
-        /// <exception cref="System.ArgumentNullException">user</exception>
-        public Task RemoveLoginAsync(TUser user, UserLoginInfo login)
+        /// <inheritdoc/>
+        public Task<bool> IsInRoleAsync(TUser user, string roleName, CancellationToken cancellationToken = default)
         {
+            cancellationToken.ThrowIfCancellationRequested();
             ThrowIfDisposed();
-            if (user == null)
-                throw new ArgumentNullException("user");
-            user.Logins.RemoveAll(x => x.LoginProvider == login.LoginProvider && x.ProviderKey == login.ProviderKey);
-            return Task.FromResult(0);
+            ArgumentNullException.ThrowIfNull(user);
+            ArgumentException.ThrowIfNullOrWhiteSpace(roleName);
+
+            return Task.FromResult(user.Roles.Contains(roleName, StringComparer.OrdinalIgnoreCase));
         }
 
-        /// <summary>
-        ///     Gets the password hash asynchronous.
-        /// </summary>
-        /// <param name="user">The user.</param>
-        /// <returns>Task{System.String}.</returns>
-        /// <exception cref="System.ArgumentNullException">user</exception>
-        public Task<string> GetPasswordHashAsync(TUser user)
+        /// <inheritdoc/>
+        public Task RemoveFromRoleAsync(TUser user, string roleName, CancellationToken cancellationToken = default)
+        {
+            cancellationToken.ThrowIfCancellationRequested();
+            ThrowIfDisposed();
+            ArgumentNullException.ThrowIfNull(user);
+            ArgumentException.ThrowIfNullOrWhiteSpace(roleName);
+
+            user.Roles.RemoveAll(r => string.Equals(r, roleName, StringComparison.OrdinalIgnoreCase));
+            return Task.CompletedTask;
+        }
+
+        #endregion
+
+        #region IUserPasswordStore
+
+        /// <inheritdoc/>
+        public Task<string?> GetPasswordHashAsync(TUser user, CancellationToken cancellationToken = default)
         {
+            cancellationToken.ThrowIfCancellationRequested();
             ThrowIfDisposed();
-            if (user == null)
-                throw new ArgumentNullException("user");
+            ArgumentNullException.ThrowIfNull(user);
+
             return Task.FromResult(user.PasswordHash);
         }
 
-        /// <summary>
-        ///     Determines whether [has password asynchronous] [the specified user].
-        /// </summary>
-        /// <param name="user">The user.</param>
-        /// <exception cref="System.ArgumentNullException">user</exception>
-        public Task<bool> HasPasswordAsync(TUser user)
+        /// <inheritdoc/>
+        public Task<bool> HasPasswordAsync(TUser user, CancellationToken cancellationToken = default)
         {
+            cancellationToken.ThrowIfCancellationRequested();
             ThrowIfDisposed();
-            if (user == null)
-                throw new ArgumentNullException("user");
-            return Task.FromResult(user.PasswordHash != null);
+            ArgumentNullException.ThrowIfNull(user);
+
+            return Task.FromResult(!string.IsNullOrEmpty(user.PasswordHash));
         }
 
-        /// <summary>
-        ///     Sets the password hash asynchronous.
-        /// </summary>
-        /// <param name="user">The user.</param>
-        /// <param name="passwordHash">The password hash.</param>
-        /// <returns>Task.</returns>
-        /// <exception cref="System.ArgumentNullException">user</exception>
-        public Task SetPasswordHashAsync(TUser user, string passwordHash)
+        /// <inheritdoc/>
+        public Task SetPasswordHashAsync(TUser user, string? passwordHash, CancellationToken cancellationToken = default)
         {
+            cancellationToken.ThrowIfCancellationRequested();
             ThrowIfDisposed();
-            if (user == null)
-                throw new ArgumentNullException("user");
+            ArgumentNullException.ThrowIfNull(user);
+
             user.PasswordHash = passwordHash;
-            return Task.FromResult(0);
+            return Task.CompletedTask;
         }
 
-        /// <summary>
-        ///     Adds to role asynchronous.
-        /// </summary>
-        /// <param name="user">The user.</param>
-        /// <param name="role">The role.</param>
-        /// <returns>Task.</returns>
-        /// <exception cref="System.ArgumentNullException">user</exception>
-        public Task AddToRoleAsync(TUser user, string role)
+        #endregion
+
+        #region IUserSecurityStampStore
+
+        /// <inheritdoc/>
+        public Task<string?> GetSecurityStampAsync(TUser user, CancellationToken cancellationToken = default)
         {
+            cancellationToken.ThrowIfCancellationRequested();
             ThrowIfDisposed();
-            if (user == null)
-                throw new ArgumentNullException("user");
+            ArgumentNullException.ThrowIfNull(user);
 
-            if (!user.Roles.Contains(role, StringComparer.InvariantCultureIgnoreCase))
-                user.Roles.Add(role);
+            return Task.FromResult(user.SecurityStamp);
+        }
+
+        /// <inheritdoc/>
+        public Task SetSecurityStampAsync(TUser user, string stamp, CancellationToken cancellationToken = default)
+        {
+            cancellationToken.ThrowIfCancellationRequested();
+            ThrowIfDisposed();
+            ArgumentNullException.ThrowIfNull(user);
 
-            return Task.FromResult(true);
+            user.SecurityStamp = stamp;
+            return Task.CompletedTask;
         }
 
-        /// <summary>
-        ///     Gets the roles asynchronous.
-        /// </summary>
-        /// <param name="user">The user.</param>
-        /// <returns>Task{IList{System.String}}.</returns>
-        /// <exception cref="System.ArgumentNullException">user</exception>
-        public Task<IList<string>> GetRolesAsync(TUser user)
+        #endregion
+
+        #region IUserEmailStore
+
+        /// <inheritdoc/>
+        public async Task<TUser?> FindByEmailAsync(string normalizedEmail, CancellationToken cancellationToken = default)
         {
+            cancellationToken.ThrowIfCancellationRequested();
             ThrowIfDisposed();
-            if (user == null)
-                throw new ArgumentNullException("user");
-            return Task.FromResult<IList<string>>(user.Roles);
+
+            await EnsureMigrationAsync(cancellationToken);
+            return await UsersCollection
+                .Find(Builders<TUser>.Filter.Eq(u => u.NormalizedEmail, normalizedEmail))
+                .FirstOrDefaultAsync(cancellationToken);
         }
 
-        /// <summary>
-        ///     Determines whether [is in role asynchronous] [the specified user].
-        /// </summary>
-        /// <param name="user">The user.</param>
-        /// <param name="role">The role.</param>
-        /// <exception cref="System.ArgumentNullException">user</exception>
-        public Task<bool> IsInRoleAsync(TUser user, string role)
+        /// <inheritdoc/>
+        public Task<string?> GetEmailAsync(TUser user, CancellationToken cancellationToken = default)
         {
+            cancellationToken.ThrowIfCancellationRequested();
             ThrowIfDisposed();
-            if (user == null)
-                throw new ArgumentNullException("user");
+            ArgumentNullException.ThrowIfNull(user);
 
-            return Task.FromResult(user.Roles.Contains(role, StringComparer.InvariantCultureIgnoreCase));
+            return Task.FromResult(user.Email);
         }
 
-        /// <summary>
-        ///     Removes from role asynchronous.
-        /// </summary>
-        /// <param name="user">The user.</param>
-        /// <param name="role">The role.</param>
-        /// <returns>Task.</returns>
-        /// <exception cref="System.ArgumentNullException">user</exception>
-        public Task RemoveFromRoleAsync(TUser user, string role)
+        /// <inheritdoc/>
+        public Task<bool> GetEmailConfirmedAsync(TUser user, CancellationToken cancellationToken = default)
         {
+            cancellationToken.ThrowIfCancellationRequested();
             ThrowIfDisposed();
-            if (user == null)
-                throw new ArgumentNullException("user");
+            ArgumentNullException.ThrowIfNull(user);
 
-            user.Roles.RemoveAll(r => String.Equals(r, role, StringComparison.InvariantCultureIgnoreCase));
+            return Task.FromResult(user.EmailConfirmed);
+        }
 
-            return Task.FromResult(0);
+        /// <inheritdoc/>
+        public Task<string?> GetNormalizedEmailAsync(TUser user, CancellationToken cancellationToken = default)
+        {
+            cancellationToken.ThrowIfCancellationRequested();
+            ThrowIfDisposed();
+            ArgumentNullException.ThrowIfNull(user);
+
+            return Task.FromResult(user.NormalizedEmail);
         }
 
-        /// <summary>
-        ///     Gets the security stamp asynchronous.
-        /// </summary>
-        /// <param name="user">The user.</param>
-        /// <returns>Task{System.String}.</returns>
-        /// <exception cref="System.ArgumentNullException">user</exception>
-        public Task<string> GetSecurityStampAsync(TUser user)
+        /// <inheritdoc/>
+        public Task SetEmailAsync(TUser user, string? email, CancellationToken cancellationToken = default)
         {
+            cancellationToken.ThrowIfCancellationRequested();
             ThrowIfDisposed();
-            if (user == null)
-                throw new ArgumentNullException("user");
+            ArgumentNullException.ThrowIfNull(user);
 
-            return Task.FromResult(user.SecurityStamp);
+            user.Email = email;
+            return Task.CompletedTask;
         }
 
-        /// <summary>
-        ///     Sets the security stamp asynchronous.
-        /// </summary>
-        /// <param name="user">The user.</param>
-        /// <param name="stamp">The stamp.</param>
-        /// <returns>Task.</returns>
-        /// <exception cref="System.ArgumentNullException">user</exception>
-        public Task SetSecurityStampAsync(TUser user, string stamp)
+        /// <inheritdoc/>
+        public Task SetEmailConfirmedAsync(TUser user, bool confirmed, CancellationToken cancellationToken = default)
         {
+            cancellationToken.ThrowIfCancellationRequested();
             ThrowIfDisposed();
-            if (user == null)
-                throw new ArgumentNullException("user");
+            ArgumentNullException.ThrowIfNull(user);
 
-            user.SecurityStamp = stamp;
-            return Task.FromResult(0);
+            user.EmailConfirmed = confirmed;
+            return Task.CompletedTask;
         }
 
-        /// <summary>
-        ///     Throws if disposed.
-        /// </summary>
-        /// <exception cref="System.ObjectDisposedException"></exception>
-        private void ThrowIfDisposed()
+        /// <inheritdoc/>
+        public Task SetNormalizedEmailAsync(TUser user, string? normalizedEmail, CancellationToken cancellationToken = default)
         {
-            if (_disposed)
-                throw new ObjectDisposedException(GetType().Name);
+            cancellationToken.ThrowIfCancellationRequested();
+            ThrowIfDisposed();
+            ArgumentNullException.ThrowIfNull(user);
+
+            user.NormalizedEmail = normalizedEmail;
+            return Task.CompletedTask;
         }
 
         #endregion
 
-        /// <summary>Set the user email</summary>
-        /// <param name="user"></param>
-        /// <param name="email"></param>
-        /// <returns></returns>
-        public Task SetEmailAsync(TUser user, string email)
+        #region IUserLockoutStore
+
+        /// <inheritdoc/>
+        public Task<int> GetAccessFailedCountAsync(TUser user, CancellationToken cancellationToken = default)
         {
+            cancellationToken.ThrowIfCancellationRequested();
             ThrowIfDisposed();
-            if (user == null)
-                throw new ArgumentNullException("user");
+            ArgumentNullException.ThrowIfNull(user);
 
-            user.Email = email;
-            return Task.FromResult(0);
+            return Task.FromResult(user.AccessFailedCount);
         }
 
-        /// <summary>Get the user email</summary>
-        /// <param name="user"></param>
-        /// <returns></returns>
-        public Task<string> GetEmailAsync(TUser user)
+        /// <inheritdoc/>
+        public Task<bool> GetLockoutEnabledAsync(TUser user, CancellationToken cancellationToken = default)
         {
+            cancellationToken.ThrowIfCancellationRequested();
             ThrowIfDisposed();
-            if (user == null)
-                throw new ArgumentNullException("user");
+            ArgumentNullException.ThrowIfNull(user);
 
-            return Task.FromResult(user.Email);
+            return Task.FromResult(user.LockoutEnabled);
         }
 
-        /// <summary>Returns true if the user email is confirmed</summary>
-        /// <param name="user"></param>
-        /// <returns></returns>
-        public Task<bool> GetEmailConfirmedAsync(TUser user)
+        /// <inheritdoc/>
+        public Task<DateTimeOffset?> GetLockoutEndDateAsync(TUser user, CancellationToken cancellationToken = default)
         {
+            cancellationToken.ThrowIfCancellationRequested();
             ThrowIfDisposed();
-            if (user == null)
-                throw new ArgumentNullException("user");
-            return Task.FromResult(user.EmailConfirmed);
+            ArgumentNullException.ThrowIfNull(user);
+
+            return Task.FromResult(user.LockoutEnd);
         }
 
-        /// <summary>Sets whether the user email is confirmed</summary>
-        /// <param name="user"></param>
-        /// <param name="confirmed"></param>
-        /// <returns></returns>
-        public Task SetEmailConfirmedAsync(TUser user, bool confirmed)
+        /// <inheritdoc/>
+        public Task<int> IncrementAccessFailedCountAsync(TUser user, CancellationToken cancellationToken = default)
         {
+            cancellationToken.ThrowIfCancellationRequested();
             ThrowIfDisposed();
-            if (user == null)
-                throw new ArgumentNullException("user");
+            ArgumentNullException.ThrowIfNull(user);
 
-            user.EmailConfirmed = confirmed;
-            return Task.FromResult(0);
+            user.AccessFailedCount++;
+            return Task.FromResult(user.AccessFailedCount);
         }
 
-        /// <summary>Returns the user associated with this email</summary>
-        /// <param name="email"></param>
-        /// <returns></returns>
-        public Task<TUser> FindByEmailAsync(string email)
+        /// <inheritdoc/>
+        public Task ResetAccessFailedCountAsync(TUser user, CancellationToken cancellationToken = default)
         {
+            cancellationToken.ThrowIfCancellationRequested();
             ThrowIfDisposed();
-            var user = db.GetCollection<TUser>(collectionName)
-                .Find(Builders<TUser>.Filter.Eq("Email", email))
-                .FirstOrDefaultAsync();
-            return user;
+            ArgumentNullException.ThrowIfNull(user);
+
+            user.AccessFailedCount = 0;
+            return Task.CompletedTask;
         }
 
-        /// <summary>
-        ///     Returns the DateTimeOffset that represents the end of a user's lockout, any time in the past should be considered
-        ///     not locked out.
-        /// </summary>
-        /// <param name="user"></param>
-        /// <returns></returns>
-        public async Task<DateTimeOffset> GetLockoutEndDateAsync(TUser user)
+        /// <inheritdoc/>
+        public Task SetLockoutEnabledAsync(TUser user, bool enabled, CancellationToken cancellationToken = default)
         {
-            if (user == null)
-            {
-                throw new ArgumentNullException(nameof(user));
-            }
-            return await Task.FromResult(user.LockoutEndDateUtc.HasValue
-                    ? new DateTimeOffset(DateTime.SpecifyKind(user.LockoutEndDateUtc.Value, DateTimeKind.Utc))
-                    : new DateTimeOffset());
+            cancellationToken.ThrowIfCancellationRequested();
+            ThrowIfDisposed();
+            ArgumentNullException.ThrowIfNull(user);
+
+            user.LockoutEnabled = enabled;
+            return Task.CompletedTask;
         }
 
-        /// <summary>
-        ///     Locks a user out until the specified end date (set to a past date, to unlock a user)
-        /// </summary>
-        /// <param name="user"></param>
-        /// <param name="lockoutEnd"></param>
-        /// <returns></returns>
-        public Task SetLockoutEndDateAsync(TUser user, DateTimeOffset lockoutEnd)
+        /// <inheritdoc/>
+        public Task SetLockoutEndDateAsync(TUser user, DateTimeOffset? lockoutEnd, CancellationToken cancellationToken = default)
         {
-            if (user == null)
-            {
-                throw new ArgumentNullException(nameof(user));
-            }
-            user.LockoutEndDateUtc = lockoutEnd.UtcDateTime;
-            return Task.FromResult(0);
+            cancellationToken.ThrowIfCancellationRequested();
+            ThrowIfDisposed();
+            ArgumentNullException.ThrowIfNull(user);
+
+            user.LockoutEnd = lockoutEnd;
+            return Task.CompletedTask;
         }
 
-        /// <summary>
-        ///     Used to record when an attempt to access the user has failed
-        /// </summary>
-        /// <param name="user"></param>
-        /// <returns></returns>
-        public Task<int> IncrementAccessFailedCountAsync(TUser user)
+        #endregion
+
+        #region IUserTwoFactorStore
+
+        /// <inheritdoc/>
+        public Task<bool> GetTwoFactorEnabledAsync(TUser user, CancellationToken cancellationToken = default)
         {
-            if (user == null)
-            {
-                throw new ArgumentNullException(nameof(user));
-            }
-            user.AccessFailedCount++;
-            return Task.FromResult(user.AccessFailedCount);
+            cancellationToken.ThrowIfCancellationRequested();
+            ThrowIfDisposed();
+            ArgumentNullException.ThrowIfNull(user);
+
+            return Task.FromResult(user.TwoFactorEnabled);
         }
 
-        /// <summary>
-        ///     Used to reset the access failed count, typically after the account is successfully accessed
-        /// </summary>
-        /// <param name="user"></param>
-        /// <returns></returns>
-        public Task ResetAccessFailedCountAsync(TUser user)
+        /// <inheritdoc/>
+        public Task SetTwoFactorEnabledAsync(TUser user, bool enabled, CancellationToken cancellationToken = default)
         {
-            if (user == null)
-            {
-                throw new ArgumentNullException(nameof(user));
-            }
-            user.AccessFailedCount = 0;
-            return Task.FromResult(0);
+            cancellationToken.ThrowIfCancellationRequested();
+            ThrowIfDisposed();
+            ArgumentNullException.ThrowIfNull(user);
+
+            user.TwoFactorEnabled = enabled;
+            return Task.CompletedTask;
         }
 
-        /// <summary>
-        ///     Returns the current number of failed access attempts.  This number usually will be reset whenever the password is
-        ///     verified or the account is locked out.
-        /// </summary>
-        /// <param name="user"></param>
-        /// <returns></returns>
-        public Task<int> GetAccessFailedCountAsync(TUser user)
+        #endregion
+
+        #region IUserPhoneNumberStore
+
+        /// <inheritdoc/>
+        public Task<string?> GetPhoneNumberAsync(TUser user, CancellationToken cancellationToken = default)
         {
-            if (user == null)
-            {
-                throw new ArgumentNullException(nameof(user));
-            }
-            return Task.FromResult(user.AccessFailedCount);
+            cancellationToken.ThrowIfCancellationRequested();
+            ThrowIfDisposed();
+            ArgumentNullException.ThrowIfNull(user);
+
+            return Task.FromResult(user.PhoneNumber);
         }
 
-        /// <summary>Returns whether the user can be locked out.</summary>
-        /// <param name="user"></param>
-        /// <returns></returns>
-        public Task<bool> GetLockoutEnabledAsync(TUser user)
+        /// <inheritdoc/>
+        public Task<bool> GetPhoneNumberConfirmedAsync(TUser user, CancellationToken cancellationToken = default)
         {
-            if (user == null)
-            {
-                throw new ArgumentNullException(nameof(user));
-            }
-            return Task.FromResult(user.LockoutEnabled);
+            cancellationToken.ThrowIfCancellationRequested();
+            ThrowIfDisposed();
+            ArgumentNullException.ThrowIfNull(user);
+
+            return Task.FromResult(user.PhoneNumberConfirmed);
         }
 
-        /// <summary>Sets whether the user can be locked out.</summary>
-        /// <param name="user"></param>
-        /// <param name="enabled"></param>
-        /// <returns></returns>
-        public Task SetLockoutEnabledAsync(TUser user, bool enabled)
+        /// <inheritdoc/>
+        public Task SetPhoneNumberAsync(TUser user, string? phoneNumber, CancellationToken cancellationToken = default)
         {
-            if (user == null)
-            {
-                throw new ArgumentNullException(nameof(user));
-            }
-            user.LockoutEnabled = enabled;
-            return Task.FromResult(0);
+            cancellationToken.ThrowIfCancellationRequested();
+            ThrowIfDisposed();
+            ArgumentNullException.ThrowIfNull(user);
+
+            user.PhoneNumber = phoneNumber;
+            return Task.CompletedTask;
         }
 
-        /// <summary>
-        ///     Sets whether two factor authentication is enabled for the user
-        /// </summary>
-        /// <param name="user"></param>
-        /// <param name="enabled"></param>
-        /// <returns></returns>
-        public Task SetTwoFactorEnabledAsync(TUser user, bool enabled)
+        /// <inheritdoc/>
+        public Task SetPhoneNumberConfirmedAsync(TUser user, bool confirmed, CancellationToken cancellationToken = default)
         {
-            if (user == null)
+            cancellationToken.ThrowIfCancellationRequested();
+            ThrowIfDisposed();
+            ArgumentNullException.ThrowIfNull(user);
+
+            user.PhoneNumberConfirmed = confirmed;
+            return Task.CompletedTask;
+        }
+
+        #endregion
+
+        #region IUserAuthenticationTokenStore
+
+        /// <inheritdoc/>
+        public Task<string?> GetTokenAsync(TUser user, string loginProvider, string name, CancellationToken cancellationToken = default)
+        {
+            cancellationToken.ThrowIfCancellationRequested();
+            ThrowIfDisposed();
+            ArgumentNullException.ThrowIfNull(user);
+
+            var token = user.Tokens.FirstOrDefault(t => t.LoginProvider == loginProvider && t.Name == name);
+            return Task.FromResult(token?.Value);
+        }
+
+        /// <inheritdoc/>
+        public Task RemoveTokenAsync(TUser user, string loginProvider, string name, CancellationToken cancellationToken = default)
+        {
+            cancellationToken.ThrowIfCancellationRequested();
+            ThrowIfDisposed();
+            ArgumentNullException.ThrowIfNull(user);
+
+            user.Tokens.RemoveAll(t => t.LoginProvider == loginProvider && t.Name == name);
+            return Task.CompletedTask;
+        }
+
+        /// <inheritdoc/>
+        public Task SetTokenAsync(TUser user, string loginProvider, string name, string? value, CancellationToken cancellationToken = default)
+        {
+            cancellationToken.ThrowIfCancellationRequested();
+            ThrowIfDisposed();
+            ArgumentNullException.ThrowIfNull(user);
+
+            var existingToken = user.Tokens.FirstOrDefault(t => t.LoginProvider == loginProvider && t.Name == name);
+            if (existingToken != null)
             {
-                throw new ArgumentNullException(nameof(user));
+                existingToken.Value = value;
             }
-            user.TwoFactorEnabled = enabled;
-            return Task.FromResult(0);
+            else
+            {
+                user.Tokens.Add(new IdentityUserToken
+                {
+                    LoginProvider = loginProvider,
+                    Name = name,
+                    Value = value
+                });
+            }
+
+            return Task.CompletedTask;
+        }
+
+        #endregion
+
+        #region IDisposable
+
+        /// <inheritdoc/>
+        public void Dispose()
+        {
+            _disposed = true;
+            GC.SuppressFinalize(this);
         }
 
         /// <summary>
-        ///     Returns whether two factor authentication is enabled for the user
+        /// Throws if this class has been disposed.
         /// </summary>
-        /// <param name="user"></param>
-        /// <returns></returns>
-        public Task<bool> GetTwoFactorEnabledAsync(TUser user)
+        protected void ThrowIfDisposed()
         {
-            if (user == null)
-            {
-                throw new ArgumentNullException(nameof(user));
-            }
-            return Task.FromResult(user.TwoFactorEnabled);
+            ObjectDisposedException.ThrowIf(_disposed, this);
         }
+
+        #endregion
     }
-}
\ No newline at end of file
+}
diff --git a/Utils.cs b/Utils.cs
deleted file mode 100644
index addfa5a..0000000
--- a/Utils.cs
+++ /dev/null
@@ -1,19 +0,0 @@
-using System.Collections.Generic;
-using System.Linq;
-
-namespace MongoDB.AspNet.Identity
-{
-    internal static class Utils
-    {
-        /// <summary>
-        /// Converts an IEnumberable of T to a IList of T
-        /// </summary>
-        /// <typeparam name="T"></typeparam>
-        /// <param name="enumerable">The enumerable.</param>
-        /// <returns>IList{``0}.</returns>
-        internal static IList<T> ToIList<T>(this IEnumerable<T> enumerable)
-        {
-            return enumerable.ToList();
-        }
-    }
-}
\ No newline at end of file
diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 0000000..a06d4f3
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,33 @@
+services:
+  mongodb:
+    image: mongo:7.0
+    container_name: mongodb-identity
+    ports:
+      - "27017:27017"
+    volumes:
+      - mongodb_data:/data/db
+    environment:
+      - MONGO_INITDB_DATABASE=SampleIdentityDb
+    healthcheck:
+      test: ["CMD", "mongosh", "--eval", "db.adminCommand('ping')"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+      start_period: 10s
+
+  sample-app:
+    build:
+      context: .
+      dockerfile: samples/SampleWebApp/Dockerfile
+    container_name: sample-identity-app
+    ports:
+      - "5000:8080"
+    environment:
+      - ASPNETCORE_ENVIRONMENT=Development
+      - ConnectionStrings__MongoDB=mongodb://mongodb:27017/SampleIdentityDb
+    depends_on:
+      mongodb:
+        condition: service_healthy
+
+volumes:
+  mongodb_data:
diff --git a/packages.config b/packages.config
deleted file mode 100644
index 7daf4f0..0000000
--- a/packages.config
+++ /dev/null
@@ -1,9 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<packages>
-  <package id="Microsoft.AspNet.Identity.Core" version="2.2.1" targetFramework="net45" />
-  <package id="mongocsharpdriver" version="2.4.3" targetFramework="net45" />
-  <package id="MongoDB.Bson" version="2.4.3" targetFramework="net45" />
-  <package id="MongoDB.Driver" version="2.4.3" targetFramework="net45" />
-  <package id="MongoDB.Driver.Core" version="2.4.3" targetFramework="net45" />
-  <package id="System.Runtime.InteropServices.RuntimeInformation" version="4.0.0" targetFramework="net45" />
-</packages>
\ No newline at end of file
diff --git a/samples/SampleWebApp/Controllers/AuthController.cs b/samples/SampleWebApp/Controllers/AuthController.cs
new file mode 100644
index 0000000..c5d9fdc
--- /dev/null
+++ b/samples/SampleWebApp/Controllers/AuthController.cs
@@ -0,0 +1,216 @@
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Identity;
+using Microsoft.AspNetCore.Mvc;
+using MongoIdentityUser = MongoDB.AspNet.Identity.IdentityUser;
+using MongoIdentityRole = MongoDB.AspNet.Identity.IdentityRole;
+
+namespace SampleWebApp.Controllers;
+
+[ApiController]
+[Route("api/[controller]")]
+public class AuthController : ControllerBase
+{
+    private readonly UserManager<MongoIdentityUser> _userManager;
+    private readonly SignInManager<MongoIdentityUser> _signInManager;
+    private readonly RoleManager<MongoIdentityRole> _roleManager;
+
+    public AuthController(
+        UserManager<MongoIdentityUser> userManager,
+        SignInManager<MongoIdentityUser> signInManager,
+        RoleManager<MongoIdentityRole> roleManager)
+    {
+        _userManager = userManager;
+        _signInManager = signInManager;
+        _roleManager = roleManager;
+    }
+
+    /// <summary>
+    /// Register a new user.
+    /// </summary>
+    [HttpPost("register")]
+    public async Task<IActionResult> Register([FromBody] RegisterRequest request)
+    {
+        if (!ModelState.IsValid)
+            return BadRequest(ModelState);
+
+        var user = new MongoIdentityUser(request.UserName)
+        {
+            Email = request.Email
+        };
+
+        var result = await _userManager.CreateAsync(user, request.Password);
+
+        if (!result.Succeeded)
+        {
+            return BadRequest(new { Errors = result.Errors.Select(e => e.Description) });
+        }
+
+        return Ok(new { Message = "User registered successfully", UserId = user.Id });
+    }
+
+    /// <summary>
+    /// Login with username and password.
+    /// </summary>
+    [HttpPost("login")]
+    public async Task<IActionResult> Login([FromBody] LoginRequest request)
+    {
+        if (!ModelState.IsValid)
+            return BadRequest(ModelState);
+
+        var user = await _userManager.FindByNameAsync(request.UserName);
+        if (user == null)
+        {
+            return Unauthorized(new { Message = "Invalid username or password" });
+        }
+
+        var result = await _signInManager.CheckPasswordSignInAsync(user, request.Password, lockoutOnFailure: true);
+
+        if (!result.Succeeded)
+        {
+            if (result.IsLockedOut)
+                return Unauthorized(new { Message = "Account is locked out" });
+
+            return Unauthorized(new { Message = "Invalid username or password" });
+        }
+
+        return Ok(new { Message = "Login successful", UserId = user.Id, UserName = user.UserName });
+    }
+
+    /// <summary>
+    /// Get current user info.
+    /// </summary>
+    [HttpGet("me")]
+    [Authorize]
+    public async Task<IActionResult> GetCurrentUser()
+    {
+        var user = await _userManager.GetUserAsync(User);
+        if (user == null)
+            return NotFound();
+
+        var roles = await _userManager.GetRolesAsync(user);
+        var claims = await _userManager.GetClaimsAsync(user);
+
+        return Ok(new
+        {
+            user.Id,
+            user.UserName,
+            user.Email,
+            user.EmailConfirmed,
+            user.PhoneNumber,
+            user.PhoneNumberConfirmed,
+            user.TwoFactorEnabled,
+            Roles = roles,
+            Claims = claims.Select(c => new { c.Type, c.Value })
+        });
+    }
+
+    /// <summary>
+    /// Add a role to a user.
+    /// </summary>
+    [HttpPost("users/{userId}/roles")]
+    public async Task<IActionResult> AddToRole(string userId, [FromBody] RoleRequest request)
+    {
+        var user = await _userManager.FindByIdAsync(userId);
+        if (user == null)
+            return NotFound(new { Message = "User not found" });
+
+        // Validate that the role exists
+        var roleExists = await _roleManager.RoleExistsAsync(request.RoleName);
+        if (!roleExists)
+            return BadRequest(new { Message = $"Role '{request.RoleName}' does not exist. Create it first." });
+
+        var result = await _userManager.AddToRoleAsync(user, request.RoleName);
+        if (!result.Succeeded)
+        {
+            return BadRequest(new { Errors = result.Errors.Select(e => e.Description) });
+        }
+
+        return Ok(new { Message = $"User added to role '{request.RoleName}'" });
+    }
+
+    /// <summary>
+    /// Get all users.
+    /// </summary>
+    [HttpGet("users")]
+    public IActionResult GetAllUsers()
+    {
+        var users = _userManager.Users.ToList();
+        return Ok(users.Select(u => new
+        {
+            u.Id,
+            u.UserName,
+            u.Email,
+            u.EmailConfirmed,
+            u.Roles
+        }));
+    }
+
+    /// <summary>
+    /// Delete a user.
+    /// </summary>
+    [HttpDelete("users/{userId}")]
+    public async Task<IActionResult> DeleteUser(string userId)
+    {
+        var user = await _userManager.FindByIdAsync(userId);
+        if (user == null)
+            return NotFound(new { Message = "User not found" });
+
+        var result = await _userManager.DeleteAsync(user);
+        if (!result.Succeeded)
+        {
+            return BadRequest(new { Errors = result.Errors.Select(e => e.Description) });
+        }
+
+        return Ok(new { Message = "User deleted successfully" });
+    }
+
+    /// <summary>
+    /// Request a password reset token.
+    /// </summary>
+    [HttpPost("forgot-password")]
+    public async Task<IActionResult> ForgotPassword([FromBody] ForgotPasswordRequest request)
+    {
+        var user = await _userManager.FindByEmailAsync(request.Email);
+        if (user == null)
+        {
+            // Don't reveal that user doesn't exist
+            return Ok(new { Message = "If the email exists, a reset token has been generated." });
+        }
+
+        var token = await _userManager.GeneratePasswordResetTokenAsync(user);
+
+        // In production, you'd send this via email. For demo, we return it.
+        return Ok(new {
+            Message = "Password reset token generated",
+            Token = token,
+            UserId = user.Id,
+            Note = "In production, this token would be sent via email"
+        });
+    }
+
+    /// <summary>
+    /// Reset password using token.
+    /// </summary>
+    [HttpPost("reset-password")]
+    public async Task<IActionResult> ResetPassword([FromBody] ResetPasswordRequest request)
+    {
+        var user = await _userManager.FindByIdAsync(request.UserId);
+        if (user == null)
+            return BadRequest(new { Message = "Invalid request" });
+
+        var result = await _userManager.ResetPasswordAsync(user, request.Token, request.NewPassword);
+
+        if (!result.Succeeded)
+        {
+            return BadRequest(new { Errors = result.Errors.Select(e => e.Description) });
+        }
+
+        return Ok(new { Message = "Password has been reset successfully" });
+    }
+}
+
+public record RegisterRequest(string UserName, string Email, string Password);
+public record LoginRequest(string UserName, string Password);
+public record RoleRequest(string RoleName);
+public record ForgotPasswordRequest(string Email);
+public record ResetPasswordRequest(string UserId, string Token, string NewPassword);
diff --git a/samples/SampleWebApp/Controllers/ClaimsController.cs b/samples/SampleWebApp/Controllers/ClaimsController.cs
new file mode 100644
index 0000000..52cfded
--- /dev/null
+++ b/samples/SampleWebApp/Controllers/ClaimsController.cs
@@ -0,0 +1,76 @@
+using System.Security.Claims;
+using Microsoft.AspNetCore.Identity;
+using Microsoft.AspNetCore.Mvc;
+using MongoIdentityUser = MongoDB.AspNet.Identity.IdentityUser;
+
+namespace SampleWebApp.Controllers;
+
+[ApiController]
+[Route("api/users/{userId}/[controller]")]
+public class ClaimsController : ControllerBase
+{
+    private readonly UserManager<MongoIdentityUser> _userManager;
+
+    public ClaimsController(UserManager<MongoIdentityUser> userManager)
+    {
+        _userManager = userManager;
+    }
+
+    /// <summary>
+    /// Get all claims for a user.
+    /// </summary>
+    [HttpGet]
+    public async Task<IActionResult> GetClaims(string userId)
+    {
+        var user = await _userManager.FindByIdAsync(userId);
+        if (user == null)
+            return NotFound(new { Message = "User not found" });
+
+        var claims = await _userManager.GetClaimsAsync(user);
+        return Ok(claims.Select(c => new { c.Type, c.Value }));
+    }
+
+    /// <summary>
+    /// Add a claim to a user.
+    /// </summary>
+    [HttpPost]
+    public async Task<IActionResult> AddClaim(string userId, [FromBody] ClaimRequest request)
+    {
+        var user = await _userManager.FindByIdAsync(userId);
+        if (user == null)
+            return NotFound(new { Message = "User not found" });
+
+        var claim = new Claim(request.Type, request.Value);
+        var result = await _userManager.AddClaimAsync(user, claim);
+
+        if (!result.Succeeded)
+        {
+            return BadRequest(new { Errors = result.Errors.Select(e => e.Description) });
+        }
+
+        return Ok(new { Message = $"Claim '{request.Type}' added successfully" });
+    }
+
+    /// <summary>
+    /// Remove a claim from a user.
+    /// </summary>
+    [HttpDelete]
+    public async Task<IActionResult> RemoveClaim(string userId, [FromQuery] string type, [FromQuery] string value)
+    {
+        var user = await _userManager.FindByIdAsync(userId);
+        if (user == null)
+            return NotFound(new { Message = "User not found" });
+
+        var claim = new Claim(type, value);
+        var result = await _userManager.RemoveClaimAsync(user, claim);
+
+        if (!result.Succeeded)
+        {
+            return BadRequest(new { Errors = result.Errors.Select(e => e.Description) });
+        }
+
+        return Ok(new { Message = "Claim removed successfully" });
+    }
+}
+
+public record ClaimRequest(string Type, string Value);
diff --git a/samples/SampleWebApp/Controllers/RolesController.cs b/samples/SampleWebApp/Controllers/RolesController.cs
new file mode 100644
index 0000000..9476f89
--- /dev/null
+++ b/samples/SampleWebApp/Controllers/RolesController.cs
@@ -0,0 +1,68 @@
+using Microsoft.AspNetCore.Identity;
+using Microsoft.AspNetCore.Mvc;
+using MongoIdentityRole = MongoDB.AspNet.Identity.IdentityRole;
+
+namespace SampleWebApp.Controllers;
+
+[ApiController]
+[Route("api/[controller]")]
+public class RolesController : ControllerBase
+{
+    private readonly RoleManager<MongoIdentityRole> _roleManager;
+
+    public RolesController(RoleManager<MongoIdentityRole> roleManager)
+    {
+        _roleManager = roleManager;
+    }
+
+    /// <summary>
+    /// Get all roles.
+    /// </summary>
+    [HttpGet]
+    public IActionResult GetAllRoles()
+    {
+        var roles = _roleManager.Roles.ToList();
+        return Ok(roles.Select(r => new { r.Id, r.Name }));
+    }
+
+    /// <summary>
+    /// Create a new role.
+    /// </summary>
+    [HttpPost]
+    public async Task<IActionResult> CreateRole([FromBody] CreateRoleRequest request)
+    {
+        if (string.IsNullOrWhiteSpace(request.Name))
+            return BadRequest(new { Message = "Role name is required" });
+
+        var role = new MongoIdentityRole(request.Name);
+        var result = await _roleManager.CreateAsync(role);
+
+        if (!result.Succeeded)
+        {
+            return BadRequest(new { Errors = result.Errors.Select(e => e.Description) });
+        }
+
+        return Ok(new { Message = "Role created successfully", RoleId = role.Id, RoleName = role.Name });
+    }
+
+    /// <summary>
+    /// Delete a role.
+    /// </summary>
+    [HttpDelete("{roleId}")]
+    public async Task<IActionResult> DeleteRole(string roleId)
+    {
+        var role = await _roleManager.FindByIdAsync(roleId);
+        if (role == null)
+            return NotFound(new { Message = "Role not found" });
+
+        var result = await _roleManager.DeleteAsync(role);
+        if (!result.Succeeded)
+        {
+            return BadRequest(new { Errors = result.Errors.Select(e => e.Description) });
+        }
+
+        return Ok(new { Message = "Role deleted successfully" });
+    }
+}
+
+public record CreateRoleRequest(string Name);
diff --git a/samples/SampleWebApp/Dockerfile b/samples/SampleWebApp/Dockerfile
new file mode 100644
index 0000000..8622883
--- /dev/null
+++ b/samples/SampleWebApp/Dockerfile
@@ -0,0 +1,28 @@
+FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
+WORKDIR /src
+
+# Copy solution and project files
+COPY ["MongoDB.AspNet.Identity.sln", "."]
+COPY ["MongoDB.AspNet.Identity.csproj", "."]
+COPY ["samples/SampleWebApp/SampleWebApp.csproj", "samples/SampleWebApp/"]
+
+# Restore dependencies
+RUN dotnet restore "samples/SampleWebApp/SampleWebApp.csproj"
+
+# Copy source files
+COPY . .
+
+# Build the application
+WORKDIR "/src/samples/SampleWebApp"
+RUN dotnet build "SampleWebApp.csproj" -c Release -o /app/build
+
+# Publish the application
+FROM build AS publish
+RUN dotnet publish "SampleWebApp.csproj" -c Release -o /app/publish /p:UseAppHost=false
+
+# Final image
+FROM mcr.microsoft.com/dotnet/aspnet:8.0 AS final
+WORKDIR /app
+EXPOSE 8080
+COPY --from=publish /app/publish .
+ENTRYPOINT ["dotnet", "SampleWebApp.dll"]
diff --git a/samples/SampleWebApp/Program.cs b/samples/SampleWebApp/Program.cs
new file mode 100644
index 0000000..a852d7a
--- /dev/null
+++ b/samples/SampleWebApp/Program.cs
@@ -0,0 +1,66 @@
+using Microsoft.AspNetCore.Identity;
+using MongoDB.AspNet.Identity;
+using MongoDB.Driver;
+using MongoIdentityUser = MongoDB.AspNet.Identity.IdentityUser;
+using MongoIdentityRole = MongoDB.AspNet.Identity.IdentityRole;
+
+var builder = WebApplication.CreateBuilder(args);
+
+// Configure MongoDB
+var connectionString = builder.Configuration.GetConnectionString("MongoDB")
+    ?? "mongodb://localhost:27017/SampleIdentityDb";
+var mongoUrl = new MongoUrl(connectionString);
+var mongoClient = new MongoClient(mongoUrl);
+var mongoDatabase = mongoClient.GetDatabase(mongoUrl.DatabaseName);
+
+// Register MongoDB database as a service
+builder.Services.AddSingleton(mongoDatabase);
+
+// Configure ASP.NET Core Identity with MongoDB
+builder.Services.AddIdentity<MongoIdentityUser, MongoIdentityRole>(options =>
+{
+    // Password settings (relaxed for demo purposes)
+    options.Password.RequireDigit = false;
+    options.Password.RequireLowercase = false;
+    options.Password.RequireUppercase = false;
+    options.Password.RequireNonAlphanumeric = false;
+    options.Password.RequiredLength = 6;
+
+    // User settings
+    options.User.RequireUniqueEmail = true;
+})
+.AddUserStore<UserStore<MongoIdentityUser>>()
+.AddRoleStore<RoleStore>()
+.AddRoleManager<RoleManager<MongoIdentityRole>>()
+.AddSignInManager()
+.AddDefaultTokenProviders();
+
+// Add authorization
+builder.Services.AddAuthorization();
+
+// Add controllers
+builder.Services.AddControllers();
+
+// Add Swagger for API documentation
+builder.Services.AddEndpointsApiExplorer();
+builder.Services.AddSwaggerGen();
+
+var app = builder.Build();
+
+// Configure the HTTP request pipeline
+if (app.Environment.IsDevelopment())
+{
+    app.UseSwagger();
+    app.UseSwaggerUI();
+}
+
+// Serve static files (wwwroot)
+app.UseDefaultFiles();
+app.UseStaticFiles();
+
+app.UseAuthentication();
+app.UseAuthorization();
+
+app.MapControllers();
+
+app.Run();
diff --git a/samples/SampleWebApp/SampleWebApp.csproj b/samples/SampleWebApp/SampleWebApp.csproj
new file mode 100644
index 0000000..f40a4d3
--- /dev/null
+++ b/samples/SampleWebApp/SampleWebApp.csproj
@@ -0,0 +1,17 @@
+<Project Sdk="Microsoft.NET.Sdk.Web">
+
+  <PropertyGroup>
+    <TargetFramework>net8.0</TargetFramework>
+    <Nullable>enable</Nullable>
+    <ImplicitUsings>enable</ImplicitUsings>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Swashbuckle.AspNetCore" Version="6.5.0" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\..\MongoDB.AspNet.Identity.csproj" />
+  </ItemGroup>
+
+</Project>
diff --git a/samples/SampleWebApp/appsettings.Development.json b/samples/SampleWebApp/appsettings.Development.json
new file mode 100644
index 0000000..0c208ae
--- /dev/null
+++ b/samples/SampleWebApp/appsettings.Development.json
@@ -0,0 +1,8 @@
+{
+  "Logging": {
+    "LogLevel": {
+      "Default": "Information",
+      "Microsoft.AspNetCore": "Warning"
+    }
+  }
+}
diff --git a/samples/SampleWebApp/appsettings.json b/samples/SampleWebApp/appsettings.json
new file mode 100644
index 0000000..cfb1fcd
--- /dev/null
+++ b/samples/SampleWebApp/appsettings.json
@@ -0,0 +1,12 @@
+{
+  "Logging": {
+    "LogLevel": {
+      "Default": "Information",
+      "Microsoft.AspNetCore": "Warning"
+    }
+  },
+  "AllowedHosts": "*",
+  "ConnectionStrings": {
+    "MongoDB": "mongodb://localhost:27017/SampleIdentityDb"
+  }
+}
diff --git a/samples/SampleWebApp/wwwroot/index.html b/samples/SampleWebApp/wwwroot/index.html
new file mode 100644
index 0000000..c5d8597
--- /dev/null
+++ b/samples/SampleWebApp/wwwroot/index.html
@@ -0,0 +1,662 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>MongoDB Identity Demo</title>
+    <style>
+        :root {
+            --primary: #10b981;
+            --primary-dark: #059669;
+            --danger: #ef4444;
+            --warning: #f59e0b;
+            --gray-50: #f9fafb;
+            --gray-100: #f3f4f6;
+            --gray-200: #e5e7eb;
+            --gray-300: #d1d5db;
+            --gray-500: #6b7280;
+            --gray-700: #374151;
+            --gray-900: #111827;
+        }
+        * { box-sizing: border-box; margin: 0; padding: 0; }
+        body { font-family: system-ui, -apple-system, sans-serif; background: var(--gray-100); min-height: 100vh; }
+
+        /* Layout */
+        .app { display: flex; min-height: 100vh; }
+        .sidebar { width: 280px; background: var(--gray-900); color: white; padding: 20px; flex-shrink: 0; }
+        .main { flex: 1; padding: 30px; overflow-y: auto; }
+
+        /* Sidebar */
+        .logo { font-size: 20px; font-weight: 700; margin-bottom: 8px; color: var(--primary); }
+        .logo-sub { font-size: 12px; color: var(--gray-500); margin-bottom: 30px; }
+        .nav-section { margin-bottom: 25px; }
+        .nav-title { font-size: 11px; text-transform: uppercase; color: var(--gray-500); margin-bottom: 10px; letter-spacing: 0.5px; }
+        .nav-item { display: block; padding: 10px 12px; border-radius: 6px; color: var(--gray-300); text-decoration: none; cursor: pointer; margin-bottom: 4px; transition: all 0.15s; }
+        .nav-item:hover { background: rgba(255,255,255,0.1); color: white; }
+        .nav-item.active { background: var(--primary); color: white; }
+
+        /* Cards */
+        .card { background: white; border-radius: 12px; box-shadow: 0 1px 3px rgba(0,0,0,0.1); margin-bottom: 20px; }
+        .card-header { padding: 16px 20px; border-bottom: 1px solid var(--gray-200); }
+        .card-title { font-size: 16px; font-weight: 600; color: var(--gray-900); }
+        .card-body { padding: 20px; }
+
+        /* Forms */
+        .form-row { margin-bottom: 16px; }
+        .form-label { display: block; font-size: 13px; font-weight: 500; color: var(--gray-700); margin-bottom: 6px; }
+        .form-input { width: 100%; padding: 10px 12px; border: 1px solid var(--gray-300); border-radius: 6px; font-size: 14px; transition: border-color 0.15s, box-shadow 0.15s; }
+        .form-input:focus { outline: none; border-color: var(--primary); box-shadow: 0 0 0 3px rgba(16,185,129,0.1); }
+        .form-hint { font-size: 12px; color: var(--gray-500); margin-top: 4px; }
+
+        /* Buttons */
+        .btn { display: inline-flex; align-items: center; justify-content: center; padding: 10px 16px; border: none; border-radius: 6px; font-size: 14px; font-weight: 500; cursor: pointer; transition: all 0.15s; }
+        .btn-primary { background: var(--primary); color: white; }
+        .btn-primary:hover { background: var(--primary-dark); }
+        .btn-danger { background: var(--danger); color: white; }
+        .btn-danger:hover { background: #dc2626; }
+        .btn-ghost { background: transparent; color: var(--gray-700); }
+        .btn-ghost:hover { background: var(--gray-100); }
+        .btn-sm { padding: 6px 10px; font-size: 12px; }
+        .btn-block { width: 100%; }
+
+        /* Alerts */
+        .alert { padding: 12px 16px; border-radius: 6px; font-size: 13px; margin-bottom: 16px; display: none; }
+        .alert.show { display: block; }
+        .alert-success { background: #d1fae5; color: #065f46; }
+        .alert-error { background: #fee2e2; color: #991b1b; }
+        .alert-info { background: #fef3c7; color: #92400e; }
+
+        /* Tables */
+        .table { width: 100%; border-collapse: collapse; }
+        .table th { text-align: left; padding: 12px 16px; font-size: 12px; font-weight: 500; color: var(--gray-500); text-transform: uppercase; background: var(--gray-50); border-bottom: 1px solid var(--gray-200); }
+        .table td { padding: 12px 16px; border-bottom: 1px solid var(--gray-200); font-size: 14px; color: var(--gray-700); }
+        .table tr:hover td { background: var(--gray-50); }
+        .table tr:last-child td { border-bottom: none; }
+
+        /* Tags */
+        .tag { display: inline-block; padding: 2px 8px; background: var(--gray-100); color: var(--gray-700); border-radius: 4px; font-size: 12px; margin-right: 4px; }
+        .tag-primary { background: #d1fae5; color: #065f46; }
+
+        /* Empty state */
+        .empty { text-align: center; padding: 40px; color: var(--gray-500); }
+        .empty-icon { font-size: 48px; margin-bottom: 16px; opacity: 0.5; }
+
+        /* Views */
+        .view { display: none; }
+        .view.active { display: block; }
+
+        /* Two columns */
+        .cols { display: grid; grid-template-columns: 1fr 1fr; gap: 20px; }
+        @media (max-width: 900px) { .cols { grid-template-columns: 1fr; } }
+
+        /* User panel */
+        .user-panel { background: rgba(255,255,255,0.05); border-radius: 8px; padding: 12px; margin-top: auto; }
+        .user-panel-name { font-weight: 500; font-size: 14px; }
+        .user-panel-email { font-size: 12px; color: var(--gray-500); }
+
+        /* Inline form */
+        .inline-form { display: flex; gap: 10px; }
+        .inline-form .form-input { flex: 1; }
+
+        /* Selected row */
+        .table tr.selected td { background: #ecfdf5; }
+
+        /* Click hint */
+        .click-hint { font-size: 12px; color: var(--gray-500); margin-bottom: 12px; }
+    </style>
+</head>
+<body>
+    <div class="app">
+        <!-- Sidebar -->
+        <aside class="sidebar">
+            <div class="logo">MongoDB Identity</div>
+            <div class="logo-sub">ASP.NET Core Demo</div>
+
+            <nav class="nav-section">
+                <div class="nav-title">Authentication</div>
+                <a class="nav-item active" onclick="showView('auth')">Sign In / Register</a>
+                <a class="nav-item" onclick="showView('reset')">Reset Password</a>
+            </nav>
+
+            <nav class="nav-section">
+                <div class="nav-title">Management</div>
+                <a class="nav-item" onclick="showView('users')">Users</a>
+                <a class="nav-item" onclick="showView('roles')">Roles</a>
+            </nav>
+
+            <nav class="nav-section">
+                <div class="nav-title">User Details</div>
+                <a class="nav-item" onclick="showView('userRoles')" id="navUserRoles" style="display:none">Manage Roles</a>
+                <a class="nav-item" onclick="showView('userClaims')" id="navUserClaims" style="display:none">Manage Claims</a>
+            </nav>
+
+            <div style="flex:1"></div>
+
+            <div class="user-panel" id="loggedInUser" style="display:none">
+                <div class="user-panel-name" id="loggedInName"></div>
+                <div class="user-panel-email" id="loggedInEmail"></div>
+                <button class="btn btn-ghost btn-sm" style="margin-top:8px;width:100%" onclick="logout()">Sign Out</button>
+            </div>
+        </aside>
+
+        <!-- Main Content -->
+        <main class="main">
+            <!-- Auth View -->
+            <div id="view-auth" class="view active">
+                <div class="cols">
+                    <div class="card">
+                        <div class="card-header"><div class="card-title">Sign In</div></div>
+                        <div class="card-body">
+                            <div id="loginAlert" class="alert"></div>
+                            <form id="loginForm">
+                                <div class="form-row">
+                                    <label class="form-label">Username</label>
+                                    <input type="text" class="form-input" id="loginUsername" required>
+                                </div>
+                                <div class="form-row">
+                                    <label class="form-label">Password</label>
+                                    <input type="password" class="form-input" id="loginPassword" required>
+                                </div>
+                                <button type="submit" class="btn btn-primary btn-block">Sign In</button>
+                            </form>
+                        </div>
+                    </div>
+
+                    <div class="card">
+                        <div class="card-header"><div class="card-title">Create Account</div></div>
+                        <div class="card-body">
+                            <div id="registerAlert" class="alert"></div>
+                            <form id="registerForm">
+                                <div class="form-row">
+                                    <label class="form-label">Username</label>
+                                    <input type="text" class="form-input" id="regUsername" required>
+                                </div>
+                                <div class="form-row">
+                                    <label class="form-label">Email</label>
+                                    <input type="email" class="form-input" id="regEmail" required>
+                                </div>
+                                <div class="form-row">
+                                    <label class="form-label">Password</label>
+                                    <input type="password" class="form-input" id="regPassword" required minlength="6">
+                                    <div class="form-hint">Minimum 6 characters</div>
+                                </div>
+                                <button type="submit" class="btn btn-primary btn-block">Create Account</button>
+                            </form>
+                        </div>
+                    </div>
+                </div>
+            </div>
+
+            <!-- Reset Password View -->
+            <div id="view-reset" class="view">
+                <div class="cols">
+                    <div class="card">
+                        <div class="card-header"><div class="card-title">Step 1: Request Reset Token</div></div>
+                        <div class="card-body">
+                            <div id="forgotAlert" class="alert"></div>
+                            <form id="forgotForm">
+                                <div class="form-row">
+                                    <label class="form-label">Email Address</label>
+                                    <input type="email" class="form-input" id="forgotEmail" required placeholder="Enter your account email">
+                                </div>
+                                <button type="submit" class="btn btn-primary btn-block">Request Token</button>
+                            </form>
+                            <div id="tokenDisplay" class="alert alert-info" style="margin-top:16px">
+                                <strong>Demo Mode:</strong> Token will appear here instead of being emailed.
+                            </div>
+                        </div>
+                    </div>
+
+                    <div class="card">
+                        <div class="card-header"><div class="card-title">Step 2: Set New Password</div></div>
+                        <div class="card-body">
+                            <div id="resetAlert" class="alert"></div>
+                            <form id="resetForm">
+                                <div class="form-row">
+                                    <label class="form-label">User ID</label>
+                                    <input type="text" class="form-input" id="resetUserId" required>
+                                </div>
+                                <div class="form-row">
+                                    <label class="form-label">Reset Token</label>
+                                    <input type="text" class="form-input" id="resetToken" required>
+                                </div>
+                                <div class="form-row">
+                                    <label class="form-label">New Password</label>
+                                    <input type="password" class="form-input" id="resetPassword" required minlength="6">
+                                </div>
+                                <button type="submit" class="btn btn-primary btn-block">Reset Password</button>
+                            </form>
+                        </div>
+                    </div>
+                </div>
+            </div>
+
+            <!-- Users View -->
+            <div id="view-users" class="view">
+                <div class="card">
+                    <div class="card-header" style="display:flex;justify-content:space-between;align-items:center">
+                        <div class="card-title">All Users</div>
+                        <button class="btn btn-ghost btn-sm" onclick="loadUsers()">Refresh</button>
+                    </div>
+                    <div class="card-body" style="padding:0">
+                        <p class="click-hint" style="padding:16px 16px 0">Click a user row to manage their roles and claims</p>
+                        <table class="table">
+                            <thead>
+                                <tr>
+                                    <th>Username</th>
+                                    <th>Email</th>
+                                    <th>Roles</th>
+                                    <th style="width:100px">Actions</th>
+                                </tr>
+                            </thead>
+                            <tbody id="usersTable"></tbody>
+                        </table>
+                    </div>
+                </div>
+            </div>
+
+            <!-- Roles View -->
+            <div id="view-roles" class="view">
+                <div class="card">
+                    <div class="card-header"><div class="card-title">Manage Roles</div></div>
+                    <div class="card-body">
+                        <div id="roleAlert" class="alert"></div>
+                        <form id="roleForm" class="inline-form" style="margin-bottom:20px">
+                            <input type="text" class="form-input" id="newRoleName" required placeholder="Enter role name (e.g. Admin, Editor)">
+                            <button type="submit" class="btn btn-primary">Create Role</button>
+                        </form>
+                        <table class="table">
+                            <thead>
+                                <tr>
+                                    <th>Role Name</th>
+                                    <th style="width:100px">Actions</th>
+                                </tr>
+                            </thead>
+                            <tbody id="rolesTable"></tbody>
+                        </table>
+                    </div>
+                </div>
+            </div>
+
+            <!-- User Roles View -->
+            <div id="view-userRoles" class="view">
+                <div class="card">
+                    <div class="card-header">
+                        <div class="card-title">Manage Roles for <span id="userRolesName" style="color:var(--primary)"></span></div>
+                    </div>
+                    <div class="card-body">
+                        <div id="userRoleAlert" class="alert"></div>
+                        <form id="addRoleForm" class="inline-form" style="margin-bottom:20px">
+                            <select class="form-input" id="roleSelect" required></select>
+                            <button type="submit" class="btn btn-primary">Add Role</button>
+                        </form>
+                        <div class="form-label">Current Roles:</div>
+                        <div id="currentRoles" style="margin-top:8px"></div>
+                    </div>
+                </div>
+            </div>
+
+            <!-- User Claims View -->
+            <div id="view-userClaims" class="view">
+                <div class="card">
+                    <div class="card-header">
+                        <div class="card-title">Manage Claims for <span id="userClaimsName" style="color:var(--primary)"></span></div>
+                    </div>
+                    <div class="card-body">
+                        <div id="claimAlert" class="alert"></div>
+                        <form id="addClaimForm" style="margin-bottom:20px">
+                            <div style="display:grid;grid-template-columns:1fr 1fr auto;gap:10px">
+                                <input type="text" class="form-input" id="claimType" required placeholder="Claim type (e.g. department)">
+                                <input type="text" class="form-input" id="claimValue" required placeholder="Claim value (e.g. engineering)">
+                                <button type="submit" class="btn btn-primary">Add</button>
+                            </div>
+                        </form>
+                        <table class="table">
+                            <thead>
+                                <tr>
+                                    <th>Type</th>
+                                    <th>Value</th>
+                                    <th style="width:100px">Actions</th>
+                                </tr>
+                            </thead>
+                            <tbody id="claimsTable"></tbody>
+                        </table>
+                    </div>
+                </div>
+            </div>
+        </main>
+    </div>
+
+    <script>
+        let selectedUserId = null;
+        let selectedUserName = null;
+
+        // View Management
+        function showView(view) {
+            document.querySelectorAll('.view').forEach(v => v.classList.remove('active'));
+            document.querySelectorAll('.nav-item').forEach(n => n.classList.remove('active'));
+            document.getElementById('view-' + view).classList.add('active');
+            event.target.classList.add('active');
+
+            if (view === 'users') loadUsers();
+            if (view === 'roles') loadRoles();
+            if (view === 'userRoles') loadUserRoles();
+            if (view === 'userClaims') loadUserClaims();
+        }
+
+        // Alert helper
+        function showAlert(id, message, type) {
+            const el = document.getElementById(id);
+            el.textContent = message;
+            el.className = 'alert show alert-' + type;
+            if (type !== 'info') setTimeout(() => el.classList.remove('show'), 4000);
+        }
+
+        // Login
+        document.getElementById('loginForm').addEventListener('submit', async (e) => {
+            e.preventDefault();
+            try {
+                const res = await fetch('/api/auth/login', {
+                    method: 'POST',
+                    headers: { 'Content-Type': 'application/json' },
+                    body: JSON.stringify({
+                        userName: document.getElementById('loginUsername').value,
+                        password: document.getElementById('loginPassword').value
+                    })
+                });
+                const data = await res.json();
+                if (res.ok) {
+                    showAlert('loginAlert', 'Welcome back, ' + data.userName + '!', 'success');
+                    document.getElementById('loggedInUser').style.display = 'block';
+                    document.getElementById('loggedInName').textContent = data.userName;
+                    e.target.reset();
+                } else {
+                    showAlert('loginAlert', data.message || 'Login failed', 'error');
+                }
+            } catch (err) {
+                showAlert('loginAlert', 'Network error', 'error');
+            }
+        });
+
+        // Register
+        document.getElementById('registerForm').addEventListener('submit', async (e) => {
+            e.preventDefault();
+            try {
+                const res = await fetch('/api/auth/register', {
+                    method: 'POST',
+                    headers: { 'Content-Type': 'application/json' },
+                    body: JSON.stringify({
+                        userName: document.getElementById('regUsername').value,
+                        email: document.getElementById('regEmail').value,
+                        password: document.getElementById('regPassword').value
+                    })
+                });
+                const data = await res.json();
+                if (res.ok) {
+                    showAlert('registerAlert', 'Account created successfully!', 'success');
+                    e.target.reset();
+                } else {
+                    showAlert('registerAlert', data.errors?.join(', ') || data.message, 'error');
+                }
+            } catch (err) {
+                showAlert('registerAlert', 'Network error', 'error');
+            }
+        });
+
+        // Forgot Password
+        document.getElementById('forgotForm').addEventListener('submit', async (e) => {
+            e.preventDefault();
+            try {
+                const res = await fetch('/api/auth/forgot-password', {
+                    method: 'POST',
+                    headers: { 'Content-Type': 'application/json' },
+                    body: JSON.stringify({ email: document.getElementById('forgotEmail').value })
+                });
+                const data = await res.json();
+                if (res.ok && data.token) {
+                    showAlert('forgotAlert', 'Token generated!', 'success');
+                    document.getElementById('tokenDisplay').innerHTML =
+                        '<strong>Token:</strong><br><code style="word-break:break-all;font-size:11px">' + data.token + '</code>';
+                    document.getElementById('tokenDisplay').classList.add('show');
+                    document.getElementById('resetUserId').value = data.userId;
+                    document.getElementById('resetToken').value = data.token;
+                } else {
+                    showAlert('forgotAlert', data.message, 'success');
+                }
+            } catch (err) {
+                showAlert('forgotAlert', 'Network error', 'error');
+            }
+        });
+
+        // Reset Password
+        document.getElementById('resetForm').addEventListener('submit', async (e) => {
+            e.preventDefault();
+            try {
+                const res = await fetch('/api/auth/reset-password', {
+                    method: 'POST',
+                    headers: { 'Content-Type': 'application/json' },
+                    body: JSON.stringify({
+                        userId: document.getElementById('resetUserId').value,
+                        token: document.getElementById('resetToken').value,
+                        newPassword: document.getElementById('resetPassword').value
+                    })
+                });
+                const data = await res.json();
+                if (res.ok) {
+                    showAlert('resetAlert', 'Password reset! You can now sign in.', 'success');
+                    e.target.reset();
+                } else {
+                    showAlert('resetAlert', data.errors?.join(', ') || data.message, 'error');
+                }
+            } catch (err) {
+                showAlert('resetAlert', 'Network error', 'error');
+            }
+        });
+
+        // Load Users
+        async function loadUsers() {
+            try {
+                const res = await fetch('/api/auth/users');
+                const users = await res.json();
+                const tbody = document.getElementById('usersTable');
+
+                if (users.length === 0) {
+                    tbody.innerHTML = '<tr><td colspan="4" class="empty">No users yet. Create one!</td></tr>';
+                    return;
+                }
+
+                tbody.innerHTML = users.map(u => `
+                    <tr class="${u.id === selectedUserId ? 'selected' : ''}" onclick="selectUser('${u.id}', '${u.userName}')" style="cursor:pointer">
+                        <td><strong>${u.userName}</strong></td>
+                        <td>${u.email || '-'}</td>
+                        <td>${u.roles?.length ? u.roles.map(r => '<span class="tag tag-primary">' + r + '</span>').join('') : '<span class="tag">None</span>'}</td>
+                        <td><button class="btn btn-danger btn-sm" onclick="event.stopPropagation();deleteUser('${u.id}')">Delete</button></td>
+                    </tr>
+                `).join('');
+            } catch (err) {
+                document.getElementById('usersTable').innerHTML = '<tr><td colspan="4" class="empty">Failed to load</td></tr>';
+            }
+        }
+
+        // Select User
+        function selectUser(id, name) {
+            selectedUserId = id;
+            selectedUserName = name;
+            document.getElementById('navUserRoles').style.display = 'block';
+            document.getElementById('navUserClaims').style.display = 'block';
+            document.getElementById('userRolesName').textContent = name;
+            document.getElementById('userClaimsName').textContent = name;
+            loadUsers();
+            loadRoles();
+        }
+
+        // Delete User
+        async function deleteUser(id) {
+            if (!confirm('Delete this user?')) return;
+            await fetch('/api/auth/users/' + id, { method: 'DELETE' });
+            if (id === selectedUserId) {
+                selectedUserId = null;
+                document.getElementById('navUserRoles').style.display = 'none';
+                document.getElementById('navUserClaims').style.display = 'none';
+            }
+            loadUsers();
+        }
+
+        // Load Roles
+        async function loadRoles() {
+            try {
+                const res = await fetch('/api/roles');
+                const roles = await res.json();
+                const tbody = document.getElementById('rolesTable');
+                const select = document.getElementById('roleSelect');
+
+                if (roles.length === 0) {
+                    tbody.innerHTML = '<tr><td colspan="2" class="empty">No roles yet. Create one!</td></tr>';
+                    select.innerHTML = '<option value="">-- Create a role first --</option>';
+                    return;
+                }
+
+                tbody.innerHTML = roles.map(r => `
+                    <tr>
+                        <td><strong>${r.name}</strong></td>
+                        <td><button class="btn btn-danger btn-sm" onclick="deleteRole('${r.id}')">Delete</button></td>
+                    </tr>
+                `).join('');
+
+                select.innerHTML = roles.map(r => `<option value="${r.name}">${r.name}</option>`).join('');
+            } catch (err) {
+                document.getElementById('rolesTable').innerHTML = '<tr><td colspan="2" class="empty">Failed to load</td></tr>';
+            }
+        }
+
+        // Create Role
+        document.getElementById('roleForm').addEventListener('submit', async (e) => {
+            e.preventDefault();
+            try {
+                const res = await fetch('/api/roles', {
+                    method: 'POST',
+                    headers: { 'Content-Type': 'application/json' },
+                    body: JSON.stringify({ name: document.getElementById('newRoleName').value })
+                });
+                const data = await res.json();
+                if (res.ok) {
+                    showAlert('roleAlert', 'Role created!', 'success');
+                    e.target.reset();
+                    loadRoles();
+                } else {
+                    showAlert('roleAlert', data.errors?.join(', ') || data.message, 'error');
+                }
+            } catch (err) {
+                showAlert('roleAlert', 'Network error', 'error');
+            }
+        });
+
+        // Delete Role
+        async function deleteRole(id) {
+            if (!confirm('Delete this role?')) return;
+            await fetch('/api/roles/' + id, { method: 'DELETE' });
+            loadRoles();
+        }
+
+        // Load User Roles
+        async function loadUserRoles() {
+            if (!selectedUserId) return;
+            try {
+                const res = await fetch('/api/auth/users');
+                const users = await res.json();
+                const user = users.find(u => u.id === selectedUserId);
+                if (user) {
+                    document.getElementById('currentRoles').innerHTML = user.roles?.length
+                        ? user.roles.map(r => '<span class="tag tag-primary">' + r + '</span>').join(' ')
+                        : '<span class="tag">No roles assigned</span>';
+                }
+            } catch (err) {}
+        }
+
+        // Add Role to User
+        document.getElementById('addRoleForm').addEventListener('submit', async (e) => {
+            e.preventDefault();
+            if (!selectedUserId) return;
+            try {
+                const res = await fetch('/api/auth/users/' + selectedUserId + '/roles', {
+                    method: 'POST',
+                    headers: { 'Content-Type': 'application/json' },
+                    body: JSON.stringify({ roleName: document.getElementById('roleSelect').value })
+                });
+                const data = await res.json();
+                if (res.ok) {
+                    showAlert('userRoleAlert', 'Role added!', 'success');
+                    loadUserRoles();
+                } else {
+                    showAlert('userRoleAlert', data.message, 'error');
+                }
+            } catch (err) {
+                showAlert('userRoleAlert', 'Network error', 'error');
+            }
+        });
+
+        // Load User Claims
+        async function loadUserClaims() {
+            if (!selectedUserId) return;
+            try {
+                const res = await fetch('/api/users/' + selectedUserId + '/claims');
+                const claims = await res.json();
+                const tbody = document.getElementById('claimsTable');
+
+                if (claims.length === 0) {
+                    tbody.innerHTML = '<tr><td colspan="3" class="empty">No claims</td></tr>';
+                    return;
+                }
+
+                tbody.innerHTML = claims.map(c => `
+                    <tr>
+                        <td>${c.type}</td>
+                        <td>${c.value}</td>
+                        <td><button class="btn btn-danger btn-sm" onclick="removeClaim('${c.type}','${c.value}')">Remove</button></td>
+                    </tr>
+                `).join('');
+            } catch (err) {
+                document.getElementById('claimsTable').innerHTML = '<tr><td colspan="3" class="empty">Failed to load</td></tr>';
+            }
+        }
+
+        // Add Claim
+        document.getElementById('addClaimForm').addEventListener('submit', async (e) => {
+            e.preventDefault();
+            if (!selectedUserId) return;
+            try {
+                const res = await fetch('/api/users/' + selectedUserId + '/claims', {
+                    method: 'POST',
+                    headers: { 'Content-Type': 'application/json' },
+                    body: JSON.stringify({
+                        type: document.getElementById('claimType').value,
+                        value: document.getElementById('claimValue').value
+                    })
+                });
+                const data = await res.json();
+                if (res.ok) {
+                    showAlert('claimAlert', 'Claim added!', 'success');
+                    e.target.reset();
+                    loadUserClaims();
+                } else {
+                    showAlert('claimAlert', data.message, 'error');
+                }
+            } catch (err) {
+                showAlert('claimAlert', 'Network error', 'error');
+            }
+        });
+
+        // Remove Claim
+        async function removeClaim(type, value) {
+            await fetch('/api/users/' + selectedUserId + '/claims?type=' + encodeURIComponent(type) + '&value=' + encodeURIComponent(value), { method: 'DELETE' });
+            loadUserClaims();
+        }
+
+        // Logout
+        function logout() {
+            document.getElementById('loggedInUser').style.display = 'none';
+            showView('auth');
+        }
+    </script>
+</body>
+</html>
diff --git a/tests/MongoDB.AspNet.Identity.Tests/MigrationTests.cs b/tests/MongoDB.AspNet.Identity.Tests/MigrationTests.cs
new file mode 100644
index 0000000..1c9c02a
--- /dev/null
+++ b/tests/MongoDB.AspNet.Identity.Tests/MigrationTests.cs
@@ -0,0 +1,215 @@
+using FluentAssertions;
+using MongoDB.Bson;
+using MongoDB.Driver;
+using Xunit;
+
+namespace MongoDB.AspNet.Identity.Tests;
+
+[Collection("MongoDB")]
+public class MigrationTests : IAsyncLifetime
+{
+    private readonly MongoDbFixture _fixture;
+    private readonly IMongoDatabase _database;
+
+    public MigrationTests(MongoDbFixture fixture)
+    {
+        _fixture = fixture;
+        _database = fixture.GetDatabase($"MigrationTestDb_{Guid.NewGuid():N}");
+    }
+
+    public Task InitializeAsync() => Task.CompletedTask;
+
+    public async Task DisposeAsync()
+    {
+        await _database.Client.DropDatabaseAsync(_database.DatabaseNamespace.DatabaseName);
+    }
+
+    [Fact]
+    public async Task Migration_ShouldAddNormalizedUserName_WhenMissing()
+    {
+        // Arrange - Insert a legacy user document without NormalizedUserName
+        var usersCollection = _database.GetCollection<BsonDocument>("AspNetUsers");
+        var legacyUser = new BsonDocument
+        {
+            { "_id", ObjectId.GenerateNewId() },
+            { "UserName", "TestUser" },
+            { "Email", "test@example.com" },
+            { "PasswordHash", "somehash" },
+            { "SecurityStamp", Guid.NewGuid().ToString() },
+            { "Roles", new BsonArray() },
+            { "Claims", new BsonArray() },
+            { "Logins", new BsonArray() }
+        };
+        await usersCollection.InsertOneAsync(legacyUser);
+
+        // Reset migration marker to force re-migration
+        await MigrationHelper.ResetMigrationAsync(_database);
+
+        // Act - Create UserStore which triggers migration
+        using var userStore = new UserStore<IdentityUser>(_database);
+        var foundUser = await userStore.FindByNameAsync("TESTUSER");
+
+        // Assert
+        foundUser.Should().NotBeNull();
+        foundUser!.UserName.Should().Be("TestUser");
+        foundUser.NormalizedUserName.Should().Be("TESTUSER");
+    }
+
+    [Fact]
+    public async Task Migration_ShouldAddNormalizedEmail_WhenMissing()
+    {
+        // Arrange - Insert a legacy user document without NormalizedEmail
+        var usersCollection = _database.GetCollection<BsonDocument>("AspNetUsers");
+        var legacyUser = new BsonDocument
+        {
+            { "_id", ObjectId.GenerateNewId() },
+            { "UserName", "TestUser2" },
+            { "Email", "Test2@Example.com" },
+            { "PasswordHash", "somehash" },
+            { "SecurityStamp", Guid.NewGuid().ToString() },
+            { "Roles", new BsonArray() },
+            { "Claims", new BsonArray() },
+            { "Logins", new BsonArray() }
+        };
+        await usersCollection.InsertOneAsync(legacyUser);
+
+        // Reset migration marker to force re-migration
+        await MigrationHelper.ResetMigrationAsync(_database);
+
+        // Act - Create UserStore which triggers migration
+        using var userStore = new UserStore<IdentityUser>(_database);
+        var foundUser = await userStore.FindByEmailAsync("TEST2@EXAMPLE.COM");
+
+        // Assert
+        foundUser.Should().NotBeNull();
+        foundUser!.Email.Should().Be("Test2@Example.com");
+        foundUser.NormalizedEmail.Should().Be("TEST2@EXAMPLE.COM");
+    }
+
+    [Fact]
+    public async Task Migration_ShouldConvertLockoutEndDateUtc_ToLockoutEnd()
+    {
+        // Arrange - Insert a legacy user document with LockoutEndDateUtc
+        var usersCollection = _database.GetCollection<BsonDocument>("AspNetUsers");
+        var lockoutDate = DateTime.UtcNow.AddHours(1);
+        var legacyUser = new BsonDocument
+        {
+            { "_id", ObjectId.GenerateNewId() },
+            { "UserName", "LockedUser" },
+            { "Email", "locked@example.com" },
+            { "LockoutEndDateUtc", lockoutDate },
+            { "LockoutEnabled", true },
+            { "Roles", new BsonArray() },
+            { "Claims", new BsonArray() },
+            { "Logins", new BsonArray() }
+        };
+        await usersCollection.InsertOneAsync(legacyUser);
+
+        // Reset migration marker to force re-migration
+        await MigrationHelper.ResetMigrationAsync(_database);
+
+        // Act - Create UserStore which triggers migration
+        using var userStore = new UserStore<IdentityUser>(_database);
+        var foundUser = await userStore.FindByNameAsync("LOCKEDUSER");
+
+        // Assert
+        foundUser.Should().NotBeNull();
+        foundUser!.LockoutEnd.Should().NotBeNull();
+        foundUser.LockoutEnd!.Value.UtcDateTime.Should().BeCloseTo(lockoutDate, TimeSpan.FromSeconds(1));
+    }
+
+    [Fact]
+    public async Task Migration_ShouldAddConcurrencyStamp_WhenMissing()
+    {
+        // Arrange - Insert a legacy user document without ConcurrencyStamp
+        var usersCollection = _database.GetCollection<BsonDocument>("AspNetUsers");
+        var legacyUser = new BsonDocument
+        {
+            { "_id", ObjectId.GenerateNewId() },
+            { "UserName", "NoConcurrencyUser" },
+            { "Email", "noconcurrency@example.com" },
+            { "Roles", new BsonArray() },
+            { "Claims", new BsonArray() },
+            { "Logins", new BsonArray() }
+        };
+        await usersCollection.InsertOneAsync(legacyUser);
+
+        // Reset migration marker to force re-migration
+        await MigrationHelper.ResetMigrationAsync(_database);
+
+        // Act - Create UserStore which triggers migration
+        using var userStore = new UserStore<IdentityUser>(_database);
+        var foundUser = await userStore.FindByNameAsync("NOCONCURRENCYUSER");
+
+        // Assert
+        foundUser.Should().NotBeNull();
+        foundUser!.ConcurrencyStamp.Should().NotBeNullOrEmpty();
+    }
+
+    [Fact]
+    public async Task Migration_ShouldCreateIndexes()
+    {
+        // Arrange
+        await MigrationHelper.ResetMigrationAsync(_database);
+
+        // Act - Create UserStore which triggers migration
+        using var userStore = new UserStore<IdentityUser>(_database);
+        // Trigger migration by performing a database operation
+        await userStore.CreateAsync(new IdentityUser("IndexTestUser") { Email = "indextest@example.com" });
+
+        // Assert - Check that indexes were created
+        var usersCollection = _database.GetCollection<BsonDocument>("AspNetUsers");
+        var indexes = await (await usersCollection.Indexes.ListAsync()).ToListAsync();
+
+        var indexNames = indexes.Select(i => i["name"].AsString).ToList();
+        indexNames.Should().Contain("IX_NormalizedUserName");
+        indexNames.Should().Contain("IX_NormalizedEmail");
+        indexNames.Should().Contain("IX_Logins");
+        indexNames.Should().Contain("IX_Roles");
+        indexNames.Should().Contain("IX_Claims");
+    }
+
+    [Fact]
+    public async Task Migration_ShouldOnlyRunOnce()
+    {
+        // Arrange
+        await MigrationHelper.ResetMigrationAsync(_database);
+
+        // Act - Create multiple UserStores
+        using var userStore1 = new UserStore<IdentityUser>(_database);
+        await userStore1.CreateAsync(new IdentityUser("User1") { Email = "user1@example.com" });
+
+        using var userStore2 = new UserStore<IdentityUser>(_database);
+        await userStore2.CreateAsync(new IdentityUser("User2") { Email = "user2@example.com" });
+
+        // Assert - Check migration collection only has one entry
+        var migrationCollection = _database.GetCollection<BsonDocument>("_IdentityMigrations");
+        var migrationCount = await migrationCollection.CountDocumentsAsync(Builders<BsonDocument>.Filter.Empty);
+        migrationCount.Should().Be(1);
+    }
+
+    [Fact]
+    public async Task Migration_ShouldMigrateRoles()
+    {
+        // Arrange - Insert a legacy role document without NormalizedName
+        var rolesCollection = _database.GetCollection<BsonDocument>("AspNetRoles");
+        var legacyRole = new BsonDocument
+        {
+            { "_id", "role1" },
+            { "Name", "Admin" }
+        };
+        await rolesCollection.InsertOneAsync(legacyRole);
+
+        // Reset migration marker to force re-migration
+        await MigrationHelper.ResetMigrationAsync(_database);
+
+        // Act - Create RoleStore which triggers migration
+        using var roleStore = new RoleStore(_database);
+        var foundRole = await roleStore.FindByNameAsync("ADMIN");
+
+        // Assert
+        foundRole.Should().NotBeNull();
+        foundRole!.Name.Should().Be("Admin");
+        foundRole.NormalizedName.Should().Be("ADMIN");
+    }
+}
diff --git a/tests/MongoDB.AspNet.Identity.Tests/MongoDB.AspNet.Identity.Tests.csproj b/tests/MongoDB.AspNet.Identity.Tests/MongoDB.AspNet.Identity.Tests.csproj
new file mode 100644
index 0000000..6146cac
--- /dev/null
+++ b/tests/MongoDB.AspNet.Identity.Tests/MongoDB.AspNet.Identity.Tests.csproj
@@ -0,0 +1,30 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFramework>net8.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+    <IsPackable>false</IsPackable>
+    <IsTestProject>true</IsTestProject>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="FluentAssertions" Version="6.12.0" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.9.0" />
+    <PackageReference Include="Testcontainers.MongoDb" Version="3.7.0" />
+    <PackageReference Include="xunit" Version="2.7.0" />
+    <PackageReference Include="xunit.runner.visualstudio" Version="2.5.7">
+      <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+      <PrivateAssets>all</PrivateAssets>
+    </PackageReference>
+    <PackageReference Include="coverlet.collector" Version="6.0.1">
+      <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+      <PrivateAssets>all</PrivateAssets>
+    </PackageReference>
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\..\MongoDB.AspNet.Identity.csproj" />
+  </ItemGroup>
+
+</Project>
diff --git a/tests/MongoDB.AspNet.Identity.Tests/MongoDbFixture.cs b/tests/MongoDB.AspNet.Identity.Tests/MongoDbFixture.cs
new file mode 100644
index 0000000..50bad97
--- /dev/null
+++ b/tests/MongoDB.AspNet.Identity.Tests/MongoDbFixture.cs
@@ -0,0 +1,41 @@
+using MongoDB.Driver;
+using Testcontainers.MongoDb;
+using Xunit;
+
+namespace MongoDB.AspNet.Identity.Tests;
+
+/// <summary>
+/// Shared fixture that manages a MongoDB container for all tests.
+/// </summary>
+public class MongoDbFixture : IAsyncLifetime
+{
+    private readonly MongoDbContainer _container = new MongoDbBuilder()
+        .WithImage("mongo:7.0")
+        .Build();
+
+    public string ConnectionString => _container.GetConnectionString();
+
+    public IMongoDatabase GetDatabase(string name = "TestDb")
+    {
+        var client = new MongoClient(ConnectionString);
+        return client.GetDatabase(name);
+    }
+
+    public async Task InitializeAsync()
+    {
+        await _container.StartAsync();
+    }
+
+    public async Task DisposeAsync()
+    {
+        await _container.DisposeAsync();
+    }
+}
+
+/// <summary>
+/// Collection definition for sharing the MongoDB fixture across test classes.
+/// </summary>
+[CollectionDefinition("MongoDB")]
+public class MongoDbCollection : ICollectionFixture<MongoDbFixture>
+{
+}
diff --git a/tests/MongoDB.AspNet.Identity.Tests/UserStoreTests.cs b/tests/MongoDB.AspNet.Identity.Tests/UserStoreTests.cs
new file mode 100644
index 0000000..fe85359
--- /dev/null
+++ b/tests/MongoDB.AspNet.Identity.Tests/UserStoreTests.cs
@@ -0,0 +1,814 @@
+using System.Security.Claims;
+using FluentAssertions;
+using Microsoft.AspNetCore.Identity;
+using MongoDB.Driver;
+using Xunit;
+
+namespace MongoDB.AspNet.Identity.Tests;
+
+[Collection("MongoDB")]
+public class UserStoreTests : IAsyncLifetime
+{
+    private readonly MongoDbFixture _fixture;
+    private readonly IMongoDatabase _database;
+    private UserStore<IdentityUser> _userStore = null!;
+
+    public UserStoreTests(MongoDbFixture fixture)
+    {
+        _fixture = fixture;
+        _database = fixture.GetDatabase($"TestDb_{Guid.NewGuid():N}");
+    }
+
+    public Task InitializeAsync()
+    {
+        _userStore = new UserStore<IdentityUser>(_database);
+        return Task.CompletedTask;
+    }
+
+    public async Task DisposeAsync()
+    {
+        _userStore.Dispose();
+        await _database.Client.DropDatabaseAsync(_database.DatabaseNamespace.DatabaseName);
+    }
+
+    #region IUserStore Tests
+
+    [Fact]
+    public async Task CreateAsync_ShouldCreateUser()
+    {
+        // Arrange
+        var user = new IdentityUser("testuser") { Email = "test@example.com" };
+
+        // Act
+        var result = await _userStore.CreateAsync(user);
+
+        // Assert
+        result.Should().Be(IdentityResult.Success);
+        user.Id.Should().NotBeNullOrEmpty();
+    }
+
+    [Fact]
+    public async Task FindByIdAsync_ShouldReturnUser_WhenUserExists()
+    {
+        // Arrange
+        var user = new IdentityUser("testuser") { Email = "test@example.com" };
+        await _userStore.CreateAsync(user);
+
+        // Act
+        var foundUser = await _userStore.FindByIdAsync(user.Id);
+
+        // Assert
+        foundUser.Should().NotBeNull();
+        foundUser!.UserName.Should().Be("testuser");
+        foundUser.Email.Should().Be("test@example.com");
+    }
+
+    [Fact]
+    public async Task FindByIdAsync_ShouldReturnNull_WhenUserDoesNotExist()
+    {
+        // Act
+        var foundUser = await _userStore.FindByIdAsync("000000000000000000000000");
+
+        // Assert
+        foundUser.Should().BeNull();
+    }
+
+    [Fact]
+    public async Task FindByNameAsync_ShouldReturnUser_WhenNormalizedNameMatches()
+    {
+        // Arrange
+        var user = new IdentityUser("TestUser") { NormalizedUserName = "TESTUSER" };
+        await _userStore.CreateAsync(user);
+
+        // Act
+        var foundUser = await _userStore.FindByNameAsync("TESTUSER");
+
+        // Assert
+        foundUser.Should().NotBeNull();
+        foundUser!.UserName.Should().Be("TestUser");
+    }
+
+    [Fact]
+    public async Task UpdateAsync_ShouldUpdateUser()
+    {
+        // Arrange
+        var user = new IdentityUser("testuser") { Email = "old@example.com" };
+        await _userStore.CreateAsync(user);
+
+        // Act
+        user.Email = "new@example.com";
+        var result = await _userStore.UpdateAsync(user);
+
+        // Assert
+        result.Should().Be(IdentityResult.Success);
+        var foundUser = await _userStore.FindByIdAsync(user.Id);
+        foundUser!.Email.Should().Be("new@example.com");
+    }
+
+    [Fact]
+    public async Task DeleteAsync_ShouldRemoveUser()
+    {
+        // Arrange
+        var user = new IdentityUser("testuser");
+        await _userStore.CreateAsync(user);
+
+        // Act
+        var result = await _userStore.DeleteAsync(user);
+
+        // Assert
+        result.Should().Be(IdentityResult.Success);
+        var foundUser = await _userStore.FindByIdAsync(user.Id);
+        foundUser.Should().BeNull();
+    }
+
+    [Fact]
+    public async Task GetUserIdAsync_ShouldReturnUserId()
+    {
+        // Arrange
+        var user = new IdentityUser("testuser");
+        await _userStore.CreateAsync(user);
+
+        // Act
+        var userId = await _userStore.GetUserIdAsync(user);
+
+        // Assert
+        userId.Should().Be(user.Id);
+    }
+
+    [Fact]
+    public async Task GetUserNameAsync_ShouldReturnUserName()
+    {
+        // Arrange
+        var user = new IdentityUser("testuser");
+
+        // Act
+        var userName = await _userStore.GetUserNameAsync(user);
+
+        // Assert
+        userName.Should().Be("testuser");
+    }
+
+    [Fact]
+    public async Task SetUserNameAsync_ShouldUpdateUserName()
+    {
+        // Arrange
+        var user = new IdentityUser("oldname");
+
+        // Act
+        await _userStore.SetUserNameAsync(user, "newname");
+
+        // Assert
+        user.UserName.Should().Be("newname");
+    }
+
+    [Fact]
+    public async Task SetNormalizedUserNameAsync_ShouldUpdateNormalizedUserName()
+    {
+        // Arrange
+        var user = new IdentityUser("testuser");
+
+        // Act
+        await _userStore.SetNormalizedUserNameAsync(user, "TESTUSER");
+
+        // Assert
+        user.NormalizedUserName.Should().Be("TESTUSER");
+    }
+
+    #endregion
+
+    #region IUserPasswordStore Tests
+
+    [Fact]
+    public async Task SetPasswordHashAsync_ShouldSetPasswordHash()
+    {
+        // Arrange
+        var user = new IdentityUser("testuser");
+        var passwordHash = "hashedpassword123";
+
+        // Act
+        await _userStore.SetPasswordHashAsync(user, passwordHash);
+
+        // Assert
+        user.PasswordHash.Should().Be(passwordHash);
+    }
+
+    [Fact]
+    public async Task GetPasswordHashAsync_ShouldReturnPasswordHash()
+    {
+        // Arrange
+        var user = new IdentityUser("testuser") { PasswordHash = "hashedpassword123" };
+
+        // Act
+        var hash = await _userStore.GetPasswordHashAsync(user);
+
+        // Assert
+        hash.Should().Be("hashedpassword123");
+    }
+
+    [Fact]
+    public async Task HasPasswordAsync_ShouldReturnTrue_WhenPasswordHashExists()
+    {
+        // Arrange
+        var user = new IdentityUser("testuser") { PasswordHash = "hashedpassword123" };
+
+        // Act
+        var hasPassword = await _userStore.HasPasswordAsync(user);
+
+        // Assert
+        hasPassword.Should().BeTrue();
+    }
+
+    [Fact]
+    public async Task HasPasswordAsync_ShouldReturnFalse_WhenPasswordHashIsNull()
+    {
+        // Arrange
+        var user = new IdentityUser("testuser") { PasswordHash = null };
+
+        // Act
+        var hasPassword = await _userStore.HasPasswordAsync(user);
+
+        // Assert
+        hasPassword.Should().BeFalse();
+    }
+
+    #endregion
+
+    #region IUserEmailStore Tests
+
+    [Fact]
+    public async Task SetEmailAsync_ShouldSetEmail()
+    {
+        // Arrange
+        var user = new IdentityUser("testuser");
+
+        // Act
+        await _userStore.SetEmailAsync(user, "test@example.com");
+
+        // Assert
+        user.Email.Should().Be("test@example.com");
+    }
+
+    [Fact]
+    public async Task GetEmailAsync_ShouldReturnEmail()
+    {
+        // Arrange
+        var user = new IdentityUser("testuser") { Email = "test@example.com" };
+
+        // Act
+        var email = await _userStore.GetEmailAsync(user);
+
+        // Assert
+        email.Should().Be("test@example.com");
+    }
+
+    [Fact]
+    public async Task FindByEmailAsync_ShouldReturnUser_WhenNormalizedEmailMatches()
+    {
+        // Arrange
+        var user = new IdentityUser("testuser")
+        {
+            Email = "Test@Example.com",
+            NormalizedEmail = "TEST@EXAMPLE.COM"
+        };
+        await _userStore.CreateAsync(user);
+
+        // Act
+        var foundUser = await _userStore.FindByEmailAsync("TEST@EXAMPLE.COM");
+
+        // Assert
+        foundUser.Should().NotBeNull();
+        foundUser!.Email.Should().Be("Test@Example.com");
+    }
+
+    [Fact]
+    public async Task SetEmailConfirmedAsync_ShouldSetEmailConfirmed()
+    {
+        // Arrange
+        var user = new IdentityUser("testuser");
+
+        // Act
+        await _userStore.SetEmailConfirmedAsync(user, true);
+
+        // Assert
+        user.EmailConfirmed.Should().BeTrue();
+    }
+
+    [Fact]
+    public async Task GetEmailConfirmedAsync_ShouldReturnEmailConfirmed()
+    {
+        // Arrange
+        var user = new IdentityUser("testuser") { EmailConfirmed = true };
+
+        // Act
+        var confirmed = await _userStore.GetEmailConfirmedAsync(user);
+
+        // Assert
+        confirmed.Should().BeTrue();
+    }
+
+    #endregion
+
+    #region IUserRoleStore Tests
+
+    [Fact]
+    public async Task AddToRoleAsync_ShouldAddRole()
+    {
+        // Arrange
+        var user = new IdentityUser("testuser");
+
+        // Act
+        await _userStore.AddToRoleAsync(user, "Admin");
+
+        // Assert
+        user.Roles.Should().Contain("Admin");
+    }
+
+    [Fact]
+    public async Task AddToRoleAsync_ShouldNotAddDuplicateRole()
+    {
+        // Arrange
+        var user = new IdentityUser("testuser");
+        await _userStore.AddToRoleAsync(user, "Admin");
+
+        // Act
+        await _userStore.AddToRoleAsync(user, "admin"); // Case-insensitive
+
+        // Assert
+        user.Roles.Should().HaveCount(1);
+    }
+
+    [Fact]
+    public async Task RemoveFromRoleAsync_ShouldRemoveRole()
+    {
+        // Arrange
+        var user = new IdentityUser("testuser");
+        await _userStore.AddToRoleAsync(user, "Admin");
+
+        // Act
+        await _userStore.RemoveFromRoleAsync(user, "admin"); // Case-insensitive
+
+        // Assert
+        user.Roles.Should().BeEmpty();
+    }
+
+    [Fact]
+    public async Task GetRolesAsync_ShouldReturnUserRoles()
+    {
+        // Arrange
+        var user = new IdentityUser("testuser");
+        await _userStore.AddToRoleAsync(user, "Admin");
+        await _userStore.AddToRoleAsync(user, "User");
+
+        // Act
+        var roles = await _userStore.GetRolesAsync(user);
+
+        // Assert
+        roles.Should().HaveCount(2);
+        roles.Should().Contain("Admin");
+        roles.Should().Contain("User");
+    }
+
+    [Fact]
+    public async Task IsInRoleAsync_ShouldReturnTrue_WhenUserHasRole()
+    {
+        // Arrange
+        var user = new IdentityUser("testuser");
+        await _userStore.AddToRoleAsync(user, "Admin");
+
+        // Act
+        var isInRole = await _userStore.IsInRoleAsync(user, "admin"); // Case-insensitive
+
+        // Assert
+        isInRole.Should().BeTrue();
+    }
+
+    [Fact]
+    public async Task GetUsersInRoleAsync_ShouldReturnUsersWithRole()
+    {
+        // Arrange
+        var user1 = new IdentityUser("user1");
+        var user2 = new IdentityUser("user2");
+        var user3 = new IdentityUser("user3");
+
+        await _userStore.AddToRoleAsync(user1, "Admin");
+        await _userStore.AddToRoleAsync(user2, "Admin");
+        await _userStore.AddToRoleAsync(user3, "User");
+
+        await _userStore.CreateAsync(user1);
+        await _userStore.CreateAsync(user2);
+        await _userStore.CreateAsync(user3);
+
+        // Act
+        var admins = await _userStore.GetUsersInRoleAsync("Admin");
+
+        // Assert
+        admins.Should().HaveCount(2);
+        admins.Select(u => u.UserName).Should().Contain(new[] { "user1", "user2" });
+    }
+
+    #endregion
+
+    #region IUserClaimStore Tests
+
+    [Fact]
+    public async Task AddClaimsAsync_ShouldAddClaims()
+    {
+        // Arrange
+        var user = new IdentityUser("testuser");
+        var claims = new[]
+        {
+            new Claim("department", "IT"),
+            new Claim("level", "senior")
+        };
+
+        // Act
+        await _userStore.AddClaimsAsync(user, claims);
+
+        // Assert
+        user.Claims.Should().HaveCount(2);
+        user.Claims.Should().Contain(c => c.ClaimType == "department" && c.ClaimValue == "IT");
+        user.Claims.Should().Contain(c => c.ClaimType == "level" && c.ClaimValue == "senior");
+    }
+
+    [Fact]
+    public async Task GetClaimsAsync_ShouldReturnUserClaims()
+    {
+        // Arrange
+        var user = new IdentityUser("testuser");
+        await _userStore.AddClaimsAsync(user, new[] { new Claim("department", "IT") });
+
+        // Act
+        var claims = await _userStore.GetClaimsAsync(user);
+
+        // Assert
+        claims.Should().HaveCount(1);
+        claims.First().Type.Should().Be("department");
+        claims.First().Value.Should().Be("IT");
+    }
+
+    [Fact]
+    public async Task RemoveClaimsAsync_ShouldRemoveClaims()
+    {
+        // Arrange
+        var user = new IdentityUser("testuser");
+        var claims = new[] { new Claim("department", "IT"), new Claim("level", "senior") };
+        await _userStore.AddClaimsAsync(user, claims);
+
+        // Act
+        await _userStore.RemoveClaimsAsync(user, new[] { new Claim("department", "IT") });
+
+        // Assert
+        user.Claims.Should().HaveCount(1);
+        user.Claims.First().ClaimType.Should().Be("level");
+    }
+
+    [Fact]
+    public async Task ReplaceClaimAsync_ShouldReplaceClaim()
+    {
+        // Arrange
+        var user = new IdentityUser("testuser");
+        await _userStore.AddClaimsAsync(user, new[] { new Claim("department", "IT") });
+
+        // Act
+        await _userStore.ReplaceClaimAsync(user, new Claim("department", "IT"), new Claim("department", "HR"));
+
+        // Assert
+        user.Claims.Should().HaveCount(1);
+        user.Claims.First().ClaimValue.Should().Be("HR");
+    }
+
+    [Fact]
+    public async Task GetUsersForClaimAsync_ShouldReturnUsersWithClaim()
+    {
+        // Arrange
+        var user1 = new IdentityUser("user1");
+        var user2 = new IdentityUser("user2");
+        var user3 = new IdentityUser("user3");
+
+        await _userStore.AddClaimsAsync(user1, new[] { new Claim("department", "IT") });
+        await _userStore.AddClaimsAsync(user2, new[] { new Claim("department", "IT") });
+        await _userStore.AddClaimsAsync(user3, new[] { new Claim("department", "HR") });
+
+        await _userStore.CreateAsync(user1);
+        await _userStore.CreateAsync(user2);
+        await _userStore.CreateAsync(user3);
+
+        // Act
+        var users = await _userStore.GetUsersForClaimAsync(new Claim("department", "IT"));
+
+        // Assert
+        users.Should().HaveCount(2);
+        users.Select(u => u.UserName).Should().Contain(new[] { "user1", "user2" });
+    }
+
+    #endregion
+
+    #region IUserLoginStore Tests
+
+    [Fact]
+    public async Task AddLoginAsync_ShouldAddLogin()
+    {
+        // Arrange
+        var user = new IdentityUser("testuser");
+        var login = new UserLoginInfo("Google", "google-id-123", "Google");
+
+        // Act
+        await _userStore.AddLoginAsync(user, login);
+
+        // Assert
+        user.Logins.Should().HaveCount(1);
+        user.Logins.First().LoginProvider.Should().Be("Google");
+        user.Logins.First().ProviderKey.Should().Be("google-id-123");
+    }
+
+    [Fact]
+    public async Task RemoveLoginAsync_ShouldRemoveLogin()
+    {
+        // Arrange
+        var user = new IdentityUser("testuser");
+        await _userStore.AddLoginAsync(user, new UserLoginInfo("Google", "google-id-123", "Google"));
+
+        // Act
+        await _userStore.RemoveLoginAsync(user, "Google", "google-id-123");
+
+        // Assert
+        user.Logins.Should().BeEmpty();
+    }
+
+    [Fact]
+    public async Task GetLoginsAsync_ShouldReturnUserLogins()
+    {
+        // Arrange
+        var user = new IdentityUser("testuser");
+        await _userStore.AddLoginAsync(user, new UserLoginInfo("Google", "google-id-123", "Google"));
+        await _userStore.AddLoginAsync(user, new UserLoginInfo("Facebook", "fb-id-456", "Facebook"));
+
+        // Act
+        var logins = await _userStore.GetLoginsAsync(user);
+
+        // Assert
+        logins.Should().HaveCount(2);
+    }
+
+    [Fact]
+    public async Task FindByLoginAsync_ShouldReturnUser_WhenLoginExists()
+    {
+        // Arrange
+        var user = new IdentityUser("testuser");
+        await _userStore.AddLoginAsync(user, new UserLoginInfo("Google", "google-id-123", "Google"));
+        await _userStore.CreateAsync(user);
+
+        // Act
+        var foundUser = await _userStore.FindByLoginAsync("Google", "google-id-123");
+
+        // Assert
+        foundUser.Should().NotBeNull();
+        foundUser!.UserName.Should().Be("testuser");
+    }
+
+    #endregion
+
+    #region IUserLockoutStore Tests
+
+    [Fact]
+    public async Task SetLockoutEndDateAsync_ShouldSetLockoutEnd()
+    {
+        // Arrange
+        var user = new IdentityUser("testuser");
+        var lockoutEnd = DateTimeOffset.UtcNow.AddHours(1);
+
+        // Act
+        await _userStore.SetLockoutEndDateAsync(user, lockoutEnd);
+
+        // Assert
+        user.LockoutEnd.Should().BeCloseTo(lockoutEnd, TimeSpan.FromSeconds(1));
+    }
+
+    [Fact]
+    public async Task GetLockoutEndDateAsync_ShouldReturnLockoutEnd()
+    {
+        // Arrange
+        var lockoutEnd = DateTimeOffset.UtcNow.AddHours(1);
+        var user = new IdentityUser("testuser") { LockoutEnd = lockoutEnd };
+
+        // Act
+        var result = await _userStore.GetLockoutEndDateAsync(user);
+
+        // Assert
+        result.Should().BeCloseTo(lockoutEnd, TimeSpan.FromSeconds(1));
+    }
+
+    [Fact]
+    public async Task IncrementAccessFailedCountAsync_ShouldIncrementCount()
+    {
+        // Arrange
+        var user = new IdentityUser("testuser") { AccessFailedCount = 2 };
+
+        // Act
+        var count = await _userStore.IncrementAccessFailedCountAsync(user);
+
+        // Assert
+        count.Should().Be(3);
+        user.AccessFailedCount.Should().Be(3);
+    }
+
+    [Fact]
+    public async Task ResetAccessFailedCountAsync_ShouldResetCount()
+    {
+        // Arrange
+        var user = new IdentityUser("testuser") { AccessFailedCount = 5 };
+
+        // Act
+        await _userStore.ResetAccessFailedCountAsync(user);
+
+        // Assert
+        user.AccessFailedCount.Should().Be(0);
+    }
+
+    [Fact]
+    public async Task SetLockoutEnabledAsync_ShouldSetLockoutEnabled()
+    {
+        // Arrange
+        var user = new IdentityUser("testuser");
+
+        // Act
+        await _userStore.SetLockoutEnabledAsync(user, true);
+
+        // Assert
+        user.LockoutEnabled.Should().BeTrue();
+    }
+
+    #endregion
+
+    #region IUserTwoFactorStore Tests
+
+    [Fact]
+    public async Task SetTwoFactorEnabledAsync_ShouldSetTwoFactorEnabled()
+    {
+        // Arrange
+        var user = new IdentityUser("testuser");
+
+        // Act
+        await _userStore.SetTwoFactorEnabledAsync(user, true);
+
+        // Assert
+        user.TwoFactorEnabled.Should().BeTrue();
+    }
+
+    [Fact]
+    public async Task GetTwoFactorEnabledAsync_ShouldReturnTwoFactorEnabled()
+    {
+        // Arrange
+        var user = new IdentityUser("testuser") { TwoFactorEnabled = true };
+
+        // Act
+        var enabled = await _userStore.GetTwoFactorEnabledAsync(user);
+
+        // Assert
+        enabled.Should().BeTrue();
+    }
+
+    #endregion
+
+    #region IUserSecurityStampStore Tests
+
+    [Fact]
+    public async Task SetSecurityStampAsync_ShouldSetSecurityStamp()
+    {
+        // Arrange
+        var user = new IdentityUser("testuser");
+        var stamp = Guid.NewGuid().ToString();
+
+        // Act
+        await _userStore.SetSecurityStampAsync(user, stamp);
+
+        // Assert
+        user.SecurityStamp.Should().Be(stamp);
+    }
+
+    [Fact]
+    public async Task GetSecurityStampAsync_ShouldReturnSecurityStamp()
+    {
+        // Arrange
+        var stamp = Guid.NewGuid().ToString();
+        var user = new IdentityUser("testuser") { SecurityStamp = stamp };
+
+        // Act
+        var result = await _userStore.GetSecurityStampAsync(user);
+
+        // Assert
+        result.Should().Be(stamp);
+    }
+
+    #endregion
+
+    #region IUserPhoneNumberStore Tests
+
+    [Fact]
+    public async Task SetPhoneNumberAsync_ShouldSetPhoneNumber()
+    {
+        // Arrange
+        var user = new IdentityUser("testuser");
+
+        // Act
+        await _userStore.SetPhoneNumberAsync(user, "+1234567890");
+
+        // Assert
+        user.PhoneNumber.Should().Be("+1234567890");
+    }
+
+    [Fact]
+    public async Task GetPhoneNumberAsync_ShouldReturnPhoneNumber()
+    {
+        // Arrange
+        var user = new IdentityUser("testuser") { PhoneNumber = "+1234567890" };
+
+        // Act
+        var phone = await _userStore.GetPhoneNumberAsync(user);
+
+        // Assert
+        phone.Should().Be("+1234567890");
+    }
+
+    [Fact]
+    public async Task SetPhoneNumberConfirmedAsync_ShouldSetPhoneNumberConfirmed()
+    {
+        // Arrange
+        var user = new IdentityUser("testuser");
+
+        // Act
+        await _userStore.SetPhoneNumberConfirmedAsync(user, true);
+
+        // Assert
+        user.PhoneNumberConfirmed.Should().BeTrue();
+    }
+
+    #endregion
+
+    #region IUserAuthenticationTokenStore Tests
+
+    [Fact]
+    public async Task SetTokenAsync_ShouldSetToken()
+    {
+        // Arrange
+        var user = new IdentityUser("testuser");
+
+        // Act
+        await _userStore.SetTokenAsync(user, "Google", "access_token", "token-value-123");
+
+        // Assert
+        user.Tokens.Should().HaveCount(1);
+        user.Tokens.First().LoginProvider.Should().Be("Google");
+        user.Tokens.First().Name.Should().Be("access_token");
+        user.Tokens.First().Value.Should().Be("token-value-123");
+    }
+
+    [Fact]
+    public async Task GetTokenAsync_ShouldReturnToken()
+    {
+        // Arrange
+        var user = new IdentityUser("testuser");
+        await _userStore.SetTokenAsync(user, "Google", "access_token", "token-value-123");
+
+        // Act
+        var token = await _userStore.GetTokenAsync(user, "Google", "access_token");
+
+        // Assert
+        token.Should().Be("token-value-123");
+    }
+
+    [Fact]
+    public async Task RemoveTokenAsync_ShouldRemoveToken()
+    {
+        // Arrange
+        var user = new IdentityUser("testuser");
+        await _userStore.SetTokenAsync(user, "Google", "access_token", "token-value-123");
+
+        // Act
+        await _userStore.RemoveTokenAsync(user, "Google", "access_token");
+
+        // Assert
+        user.Tokens.Should().BeEmpty();
+    }
+
+    #endregion
+
+    #region IQueryableUserStore Tests
+
+    [Fact]
+    public async Task Users_ShouldReturnQueryableUsers()
+    {
+        // Arrange
+        await _userStore.CreateAsync(new IdentityUser("user1"));
+        await _userStore.CreateAsync(new IdentityUser("user2"));
+        await _userStore.CreateAsync(new IdentityUser("user3"));
+
+        // Act
+        var users = _userStore.Users.ToList();
+
+        // Assert
+        users.Should().HaveCount(3);
+    }
+
+    #endregion
+}