AntiForgery validation failed -- returning error page #1672
Comments
Have you tried incognito mode or clearing idserver-cookies? And were you already using nginx when things did work properly? |
Indeed, it's not a client side thing. Incognito makes no difference. Nginx was already operational and still is (with 2.0.0-rc1). I haven't been able to figure what updated to trigger this new error. As amazing a work as you guys do on the software itself, I wish a 10th went into some raw documentation too.. if nothing else just commit notes concatenated together to let us know what's changing. Though in this particular case, I've read through commit log and still can't figure what I'd need to do to fix this. Another detail that may be relevant: We've used CustomVIewService sample to create a customized login page (mainly logo change & some js input validation). My original thought was that may have caused it to break, but even commenting it out makes no difference. Everything else is vanilla otherwise. |
Hmm. Assuming everything is working as intended; an antiforgery validation error is caused by mismatch between the antiforgery value submitted in the form and the antiforgery cookie value. If you are doing some custom view service things, just double check that the antiforgery token is rendered in the view and submitted back in the post action. |
No that's what I thought as well. The token comes through in the custom view service (and of course that's how it's working in rc1), but I have the antiforgery issue even on DefaultViewService. |
is the javascript getting loaded? iirc, the antiforgery token is added into On 3 August 2015 at 11:59, Maverik notifications@github.com wrote:
|
Yes because our input validation is JS based and that's working fine. We've also confirmed that anti-forgery-token is present inside the form. Real head-scratcher here >.< Thanks for the ideas so far! |
Just some loud thinking here. Seems like you already have done some extended research, but I think I'd look into:
IIRC, the antiforgery token cookie is protected with the default Owin data protector. If, for some reason, the server does not manage to unprotect the cookie, it'll also treat the scenario as an antiforgery validation failed. In a load balanced environment, unless you take control of configuring the servers to use the same protectors (eg. common machine key), mismatch may happen. |
The decryption idea is exactly what I was thinking as well. I'm not directly dealing with this right now, my fellow developer is. I'll ask him to see if i can get me dumps. Alternatively is there any sort of logging I can use to dump request in its raw form before IdentityServer has a chance to process it (thus confirming that the token is indeed reaching identityserver's pipeline). As for research: Yes i've been at this for a day and I didn't want to create a ticket for something that's already been solved. My first attempt to solve this was to use the solution from the previous issue that happened on IIS using a mod. Unfortunately, I don't have the proxy headers issue (there's no protection in place right now. we've stripped things down to as minimum as we can to zero-in on this) |
We are using the latest pre-release version (currently 2.0.0-build00174) and I have put together a paste of all the raw requests/responses here. |
So the browser is showing the anti-forgery error in the browser title tab, despite the HTML |
The specific anti-forgery error never appears in the browser, we got that from our logs. I can't remember the exact wording of the error that is rendered in the browser but I will get that for you first thing in the morning. |
Hmm, looking at the last raw request, the antiforgery tokens clearly are different:
Not sure whether one can compare the raw values like that (IIRC, the token is protected and base64 encoded), but if one can, there clearly is a mismatch. Well, that doesn't help you much, but you can try to look into whether the antiforgery token is generated several times within the same request, or cookie is set on wrong request or something similar. |
I have the same issue after upgrade |
Any updates or more info so I can help track this down? |
Other than the fact that we've simply updated nuget version to run into this problem: no sorry nothing concrete yet. My fellow developer (@SAAirey) is going to try and reproduce it in a sample project and perhaps we can track it down from there. But so far I'm afraid update is all the trigger we have for this problem (and we can fix the problem with a simple version revert) |
And so it always happens for every POST? |
Yes. We can see the login page, but from that moment on, it never gets past the forgery issue. As soon as you enter credentials, we're presented with The log indicates the following sequence of events:
|
Exactly same process with rc1 instead gives successful result with this log sequence (some of the log events are our own service events but I've included them regardless - this just a portion of log events - I've also raised verbosity of log in this one)
|
Can you do a HTTP level trace to ensure the headers are making it to the server? Also, you can enable verbose HTTP logging in IdSvr so you can see it all in the logs. |
Http trace level? as in fiddler level trace or some logging option that I should enable? Currently running with these options and the failed log is exactly as one above (just tested against 2.0.0 stable as well): LoggingOptions = new LoggingOptions
{
EnableHttpLogging = true,
EnableWebApiDiagnostics = true,
WebApiDiagnosticsIsVerbose = true,
},
EventsOptions = new EventsOptions
{
RaiseErrorEvents = true,
RaiseFailureEvents = true,
RaiseInformationEvents = true,
RaiseSuccessEvents = true,
}, |
Here's the fiddler trace (with specific requests/responses that have the cookie involved):
|
I can see that the xsrf value is changing, but like I said, the only change between this working and not working is nuget version changing (anything past rc1 doesn't work for us) and nothing else. So I'm at a loss to explain how is it happening. Also I'm afraid it's pretty late over here and I have to close office. I'll catch your responses back when I'm back in office tomorrow and join gitter so you can ping me in there whenever you come online. |
So it seems that you have a proxy... i wonder if it makes sense to test without the proxy and see if you still have the issue -- that will help us rule that out or not. |
I don't have a proxy and experience the same issue after upgrade on my dev machine. |
I still have this issue running and accessing IdentityServer on |
I'm having a hard time diagnosing this issue, so at this point I'd suggest getting the code and debugging into it. |
Debugging, I end up at AntiForgeryToken.cs#L129 where form object evaluates to nothing where idsrv.xsrf should be, along with username and password. EDIT: seems like the above scenario is valid when HttpLogging is enabled and code enters RequestResponseLogger where request.GetOwinContext().Request.ReadBodyAsStringAsync() is called and consumes the contents of the request. I've verified this by testing on the Selfhost (Minimal) in the Samples project with same outcome. |
Brilliant work @snothub! I can confirm that by turning logging off, everything is working fine again! Not the ideal way to have things, but at least it gets us moving and we know what needs fixing :) |
Ok, this issue came up recently and I thought we got it sorted out. I'll try to repro and investigate further. |
Ok, confirmed that it's just the |
I just made some changes to the http logging and pushed it to myget as build 2.0.1-build00176. Mind testing it for me? |
Thanks @brockallen! Just tested and I can confirm that 2.0.1-build00176 has fixed the problem. |
Just as a heads up, this will most likely get released as a patch this week. |
We've been developing with IdentityServer 2.0.0 series for a while now but I've recently updated nuget from 2.0.0-rc1 to rc2 & now rc3 and both of them are now rendering the message in title.
Could you please give any ideas on where should I look to fix this error? I have absolutely no detail available from log except for the above message and the fact that the log entry came from
IdentityServer3.Core.Configuration.Hosting.ValidateAntiForgeryTokenAttribute
.We do have a nginx reverse proxy in front of the idServer if that matters.
Thanks in advance!
The text was updated successfully, but these errors were encountered: