validate antiforgery token genereted by aps.net mvc framework and used in back for front (BFF) api .net core when ajax called

Pierre Guillaume 0 Reputation points
2024-06-21T11:44:44.45+00:00

Hi, there,

I would like to validate an "antiforgery token" generated on an asp.net mvc framework application hosted on IIS in a BFF .net core API (back for front) hosted on Kestrel Linux with the ValidateAntiForgeryToken attribute.

When I validate this token in the initial ASP.net mvc framework application, everything works fine.

The problem occurs when I use a token generated in ASP.net mvc framework during validation in the .net core API.

Knowing that the .net mvc framework application runs on several different servers, I have configured a machinekey with manually defined values so that all the servers hosting the .net mvc framework application can decode any antiforgery token in the server farm and this works well.

I naively thought that if I took the machinekey configuration of the .net mvc framework application's machineconfig in the .net core API's web.config that it would work to decrypt and validate the token, but unfortunately not.

While looking for solutions, I saw some documentation on migrating the machinekey with AddDataProtection but I never got anywhere.

I thought of a roundabout way of exposing a route on my .net mvc framework application which would be called using a filterattribute on each route of my .net Core API by transferring the headers but I would have liked to find a solution where a token could be shared between 2 applications who share the same validation and decryption keys.

Currently my machineKey in the machine.config of the .net framework application

<machineKey decryptionKey="xxxxxxxxxxxxxxxxxxxx" validationKey="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" validation="SHA1" decryption="AES"/>

Do you have any idea how to do this (knowing that calls to the .net core BFF are only used for AJAX requests and that I manage to send the correct token information in the headers/cookies to the .net core BFF) ?

ASP.NET Core
ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,342 questions
ASP.NET
ASP.NET
A set of technologies in the .NET Framework for building web applications and XML web services.
3,396 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Bruce (SqlWork.com) 60,206 Reputation points
    2024-06-21T17:09:12.42+00:00

    asp.net core does not use the machine key to create validation tokens (or other encryption). asp.net core uses Data Protections services to store the encryption key it generates (it is not settable). Two asp.net core sites share the key by using a common data protection store.

    to use the machine key of asp.net site, you will need to write a custom key storage provider. you can also configure an classic asp.net site to use own and data protection services (this handles shared cookies, but I don't know about validation tokens)

    https://learn.microsoft.com/en-us/aspnet/core/security/cookie-sharing?view=aspnetcore-8.0


  2. SurferOnWww 2,406 Reputation points
    2024-06-22T02:14:43.85+00:00

    The question is whether we can validate a __RequestVerificationToken generated on the asp.net framework mvc from the .net core api by configuring the 2 applications with the correct configuration?

    Is the target framework of your "mvc framework application" .NET Framework? If so the answer to the above question is "No, we cannot".


  3. Bruce (SqlWork.com) 60,206 Reputation points
    2024-06-24T16:09:32.5+00:00

    even if you fix the encryption, validating the anti-forgery token won't work.

    anti-forgery token validation works by during the page render writing a token to hidden form field and also to the cookie. on postback the cookie value and the hidden field value are compared.

    when you call the second api, while you can pass the hidden field value in the form post, you will not pass the cookie value, so validation fails.