I have an ASP.NET Core 2.1 application that uses ASP.NET Core Identity for user management. If someone forgot their password I use the Identity SDK to generate a password reset token. Then I mail a link to the user to reset their password. The link looks like this:
https://mywebsite.com/account/resetpassword/{resetToken}
At the position of "{resetToken}" I place the URL encoded version of the reset token that the Identity SDK generated for me. The URL encoding is necessary because the token may contain special characters.
While testing the forgot password flow on my local machine everything worked, so after code review I published it to our testing environment in Azure. But while testing on Azure I get a 404 when I try to visit the password reset link. The generated link looks like this:
https://mywebsite.com/account/resetpassword/CfDJ8OdSMUPTC9lCpLB%2fYMsf17DY75oSHdCdv4KL9RTOxbAP2ukPYdX1oY8rh5A%2bRO4p3j8uBVhtSRedi1AoPxVCvNigrcSltViBkCrU9dKRM3YKrE%2fCqPRvZcP%2b9aGdadnnQlFM%2b%2bhcJ8LJHtkmEcEoTkCC0MMfNR3ttDM7L2%2boK1MhKuaqxKKeYH6iyAeK6sJe5g%3d%3d
After some fiddling with the URL I came to the conclusion that something goes wrong with the encoded + sign (%2b). Because if I remove it from the URL it successfully brings me to the reset password page, but obviously throwing an error because the token is invalid.
Part of the receiving action method looks like this:
[HttpGet]
[Route("[controller]/[action]/{*resetToken}")]
public IActionResult ResetPassword(string resetToken)
Am I doing something wrong or is Azure processing URL's another way than my local machine?
