Hi, there,
I would like to validate an "antiforgery token" generated on an asp.net mvc framework application hosted on IIS in a BFF .net core API (back for front) hosted on Kestrel Linux with the ValidateAntiForgeryToken attribute.
When I validate this token in the initial ASP.net mvc framework application, everything works fine.
The problem occurs when I use a token generated in ASP.net mvc framework during validation in the .net core API.
Knowing that the .net mvc framework application runs on several different servers, I have configured a machinekey with manually defined values so that all the servers hosting the .net mvc framework application can decode any antiforgery token in the server farm and this works well.
I naively thought that if I took the machinekey configuration of the .net mvc framework application's machineconfig in the .net core API's web.config that it would work to decrypt and validate the token, but unfortunately not.
While looking for solutions, I saw some documentation on migrating the machinekey with AddDataProtection but I never got anywhere.
I thought of a roundabout way of exposing a route on my .net mvc framework application which would be called using a filterattribute on each route of my .net Core API by transferring the headers but I would have liked to find a solution where a token could be shared between 2 applications who share the same validation and decryption keys.
Currently my machineKey in the machine.config of the .net framework application
<machineKey decryptionKey="xxxxxxxxxxxxxxxxxxxx" validationKey="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" validation="SHA1" decryption="AES"/>
Do you have any idea how to do this (knowing that calls to the .net core BFF are only used for AJAX requests and that I manage to send the correct token information in the headers/cookies to the .net core BFF) ?