Asp.net Core Email confirmation sometimes says InvalidToken

Question

I am using asp.net core identity 2.1 and i am having a random issue with email confirmation, which while email confirmation sometimes says result.Error = InvalidToken. The token is also not expired.

Note: We are using multiple servers, and we have also stored our keys in one place so that all the servers use the same keys.

Code snippet for email confirmation.

Email Confirmation

var confCode = await _userManager.GenerateEmailConfirmationTokenAsync(user);
        var callbackUrl = Url.Action("ConfirmEmail", "Account", new
        {
            userId = user.Id,
            code = WebUtility.UrlEncode(confCode)
        }, protocol: HttpContext.Request.Scheme);

        string confirmationEmailBody = string.Format(GetTranslatedResourceString("ConfirmationEmailBody"), "<a href='" + callbackUrl + "'>") + "</a>";

Verification of token

public async Task<bool> ConfirmEmailAsync(string userId, string code)
    {
        if (string.IsNullOrEmpty(userId) || string.IsNullOrEmpty(code))
            return false;


        var user = await _userManager.FindByIdAsync(userId);

        if (user == null)
            return false;

        var result = await _userManager.ConfirmEmailAsync(user, code).ConfigureAwait(false);

        if (!result.Succeeded)
            result = await _userManager.ConfirmEmailAsync(user, WebUtility.UrlDecode(code)).ConfigureAwait(false);

        return result.Succeeded;
    }

Invalid Token

The below token is encoded twice but we handle that situation

CfDJ8HYrrpCgcr5GvrItPOWapXRy8WF8odd%252BVKuDup7buRsl1x4agRpfgQlEIPWiBqM0Wuilu9tCv5l%252B3lNaAb89%252Fi%252B4k0y%252FH0jdXAbabz0%252FXDGA0eUrmcKdIsDFNuXeyP5ezTVmTx8t0ky9xCTXaKLAfvTsCJviETk5Ag9JbUs3l3%252BnUon6fyYOHsslJI5VKLqhMM0Sm%252BW1EE%252B%252FPEJ%252BXcn%252FPS1My%252BI1lExuF1R1hFEZScEsUCG%252Bx%252BVIFB9bzs1IoLC%252Baw%253D%253D

Any help will be appreciated, Thank you!

Answer 1

This problem seems to be basic Query String Related issue. There are no pointers in your question about sample expected value and sample actual value. Hence I will not be able to provide you exact answer here. But below two are the pointers which will certainly resolve this issue.

There can be two issues:

Issue 1: Original Base-64 is not restored after HtmlDecode/UrlDecode

These tokens are encoded as base 64 strings which may contain characters like '+'.

They are sent to server.

Then server tries to perform HtmlDecode operation on this string, to remove the characters which were actually present in original base 64 token.

E.g. '+' is replaced by empty string.

So, the token generated after WebUtility.HtmlDecode is invalid. That's why you get the invalid token error

How to check this ? You can debug and see what is the value after HtmlDecode and what is expected value. If they are differing then this is root cause.

Issue 2: Query string not correctly formed

Multiple key value pairs in query strings are joined using '&' character. e.g. key1=value1&key2=value2

But some times instead of & , its encoded version & comes in the query string.
e.g. key1=value1&key2=value2

The .Net server would not be able to parse query string correctly if this is the case.

How to check this ? You can use directly read raw query string from HttpContext or HttpRequest using QueryString property and check if this is the case. If it is then you can either change your client to send appropriate query string (more logical and maintainable) or write some code to correct it on server side.

These pointers should help you to resolve the issue.