AntiForgeryToken validation fail when open an asp.net core url from an angular application

[ioantoader]

I have an asp.core mvc aplication which is the identity server application (IdentityServer4 + ASP.Net core Identity). In my angular client which use this asp.core app to get the bearer token i call like: <a mat-menu-item [href]="/Manage/Index" target="_blank" rel="noreferrer noopener" referrerpolicy="no-referrer"> the Index page from ManageControler. When I open this url in two tabs and edit some values and press submit, in one is working and in one I got
2018-10-30 08:18:34.792 +00:00 [Information] Microsoft.AspNetCore.Mvc.ViewFeatures.Internal.ValidateAntiforgeryTokenAuthorizationFilter: Antiforgery token validation failed. The antiforgery cookie token and request token do not match.
Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException: The antiforgery cookie token and request token do not match.
at Microsoft.AspNetCore.Antiforgery.Internal.DefaultAntiforgery.ValidateTokens(HttpContext httpContext, AntiforgeryTokenSet antiforgeryTokenSet)
at Microsoft.AspNetCore.Antiforgery.Internal.DefaultAntiforgery.ValidateRequestAsync(HttpContext httpContext)
at Microsoft.AspNetCore.Mvc.ViewFeatures.Internal.ValidateAntiforgeryTokenAuthorizationFilter.OnAuthorizationAsync(AuthorizationFilterContext context)

If I enter the same url manual in two tabs is function without any problems.

Any Idea?
Thanks
Ioan Toader

[blowdart]

Did you remember to refresh the token after login? The anti-forgery token is linked to the authenticated user, this changes during login.

[ioantoader]

are two applications one pure angular (not asp.net core + angular template) and one asp.net core MVC (no java script) which is the oauth2 server (use identity server4). Angular application uses implicit flow to authenticate. After the angular application is authenticated, in one page is a anchor which is the link to "user profile". When press two times on this link in one tab is working and in one not to save the changes. If I enter the same link (mcvapp/Manage/Index) manual in several tabs is workink

[blowdart]

These multiple tabs? Are they on different URLs? If not, then that's going to be the problem, you have one tab with the old, pre-authenticated token, and one with the new.

If not, how is the angular app saving the authenticated user? You say oauth2, but how are you authenticating? Where is the api you're trying to call located? Is it in the MVC app? Another project? How is the angular app getting the CSRF token?

A sample stripped down repo which demonstrates the problem would be a great help here.

[ioantoader]

angular app uses this asp.net core app for authentication which uses identity server4. and angular app has on one page to a link to an asp .net core mvc app page.

angular use oidc-client. js library with the implicit flow. and when click on the link is open from angular a page from asp.net core mvc app. The authentication is done using default single sign-on mechanism.

blowdart is possible to schedule a skype call?

Thanks

[blowdart]

If I start skype calls with one person, honestly it'd never end with everyone else, so I'd like to avoid that. If you're logging in as two different people in two different tabs in your angular app that's simply not supported once you click through to the MVC app.

[ioantoader]

No is not login with two different people. Angular is using the asp.net core app for login. When the user starts the angular app which uses oidc-clint.js library will be redirecting to asp .net core app login form and after back to angular (oauth2 protocol with the implicit flow). After login in one page of angular is just a link to a page from asp.net core which contains also the login form. When the user clicks on this link no login form is open the authentification was already done and is used cookies. If this link is open twice in two tabs from angular in one is working to submit the form in one not.

[blowdart]

So you're opening the same page from a single, logged in angular app, twice? Or are there two angular app pages first?

[ioantoader]

one is angular app and on is the identity server app implemented in asp.net core + identiyserver4 (this contain the login form and the managing controller)
Angular app get a bearer token using implicit flow .
A1 - Angular App (www.a1.net)
IS - Net asp.net core + IndentityServer4 framework (www.is.net) (contain login form and ManageControler)
1)now start A1
2) redirect to IS app which displays the login form (part of oath2 implicit flow)
3) enter credentials redirect to A1 (part of oath2 implicit flow)
4) A1 in one page contains <a href="www.is.net/Manage/Index"/>
5) click twice on this link
6) change something in both tabs and press Save
7) in the last opened tab save ok, in the first tab AntiForgeryTokenValidation Exception

2018-10-30 08:18:34.792 +00:00 [Information] Microsoft.AspNetCore.Mvc.ViewFeatures.Internal.ValidateAntiforgeryTokenAuthorizationFilter: Antiforgery token validation failed. The antiforgery cookie token and request token do not match.
Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException: The antiforgery cookie token and request token do not match.
   at Microsoft.AspNetCore.Antiforgery.Internal.DefaultAntiforgery.ValidateTokens(HttpContext httpContext, AntiforgeryTokenSet antiforgeryTokenSet)
   at Microsoft.AspNetCore.Antiforgery.Internal.DefaultAntiforgery.ValidateRequestAsync(HttpContext httpContext)
   at Microsoft.AspNetCore.Mvc.ViewFeatures.Internal.ValidateAntiforgeryTokenAuthorizationFilter.OnAuthorizationAsync(AuthorizationFilterContext context)

[ioantoader]

I added
s2.zip
a screen capture

[blowdart]

The video was very helpful, thank you.

In ASP.NET Identity we have the concept of a security stamp. One of the circumstances when the stamp gets updated is when user details change (it allows an app to detect the changes in multiple places and reload the identity). So in your first time the saving has changed the security stamp. The anti-forgery token includes information from the user in it, including the security stamp. So when you save your updates any previously issued CSRF tokens are now invalid, including the one in your second tab, hence the error.

This is by design, and there's no way to disable it I'm afraid.