The antiforgery token could not be decrypted: The payload was invalid

[ptzremote]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

I want to send a request from one application to another and validate the anti-forgery token.

Expected Behavior

Validation will be complete successfully.

Steps To Reproduce

• Create ASP.NET MVC Application (.NET Framework)
• Install Microsoft.AspNetCore.DataProtection.SystemWeb package
• Configure Data Protection:
  services.AddDataProtection().SetApplicationName("demo").PersistKeysToFileSystem(new DirectoryInfo( Path.Combine(HostingEnvironment.ApplicationPhysicalPath, "..", "keys") ));
• Add form:
  <form action="http://localhost:1055/home/index" method="post"> @Html.AntiForgeryToken() <button type="submit">Send</button> </form>
• Add another web app (.NET 5)
• Configure Data Protection the same way
• Add a controller to handle requests from the first app
• Try to validate request _antiforgery.ValidateRequestAsync(HttpContext)

Exceptions (if any)

The antiforgery token could not be decrypted.

at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgeryTokenSerializer.Deserialize(String serializedToken)
at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery.DeserializeTokens(HttpContext httpContext, AntiforgeryTokenSet antiforgeryTokenSet, AntiforgeryToken& cookieToken, AntiforgeryToken& requestToken)
at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery.ValidateTokens(HttpContext httpContext, AntiforgeryTokenSet antiforgeryTokenSet)
at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery.d__9.MoveNext()

InnerException:

The payload was invalid.

at Microsoft.AspNetCore.DataProtection.Cng.CbcAuthenticatedEncryptor.DecryptImpl(Byte* pbCiphertext, UInt32 cbCiphertext, Byte* pbAdditionalAuthenticatedData, UInt32 cbAdditionalAuthenticatedData)
at Microsoft.AspNetCore.DataProtection.Cng.Internal.CngAuthenticatedEncryptorBase.Decrypt(ArraySegment1 ciphertext, ArraySegment1 additionalAuthenticatedData)
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[] protectedData, Boolean allowOperationsOnRevokedKeys, UnprotectStatus& status)
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.DangerousUnprotect(Byte[] protectedData, Boolean ignoreRevocationErrors, Boolean& requiresMigration, Boolean& wasRevoked)
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect(Byte[] protectedData)
at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgeryTokenSerializer.Deserialize(String serializedToken)

.NET Version

4.7.2;5.0

Anything else?

Repo: https://github.com/ptzremote/InvalidPayload

[amcasey]

@ptzremote Thanks for the report! Are you only seeing that when the two apps use different versions of .net or does it happen with two 4.5.7 or two 5.0 apps?

[ProVega]

Any luck?

I have the same issue between a .NET 4.8 MVC web app and .NET 6.0 ASP Web API App.

I got past the Key Ring error and not finding the header and cookie errors (so I believe this is really just an encryption? problem)

Both are configured to use the same shared key from File system

	public override void ConfigureServices(IServiceCollection services)
	{
		services.AddDataProtection()
			.SetApplicationName("my-app")
			.PersistKeysToFileSystem(new DirectoryInfo("C:\\keyDirectory"))
							.UseCryptographicAlgorithms(new AuthenticatedEncryptorConfiguration
{
				EncryptionAlgorithm = EncryptionAlgorithm.AES_256_CBC,
				ValidationAlgorithm = ValidationAlgorithm.HMACSHA256
			});
	}

at Microsoft.AspNetCore.DataProtection.Cng.CbcAuthenticatedEncryptor.DecryptImpl(Byte* pbCiphertext, UInt32 cbCiphertext, Byte* pbAdditionalAuthenticatedData, UInt32 cbAdditionalAuthenticatedData)
at Microsoft.AspNetCore.DataProtection.Cng.Internal.CngAuthenticatedEncryptorBase.Decrypt(ArraySegment1 ciphertext, ArraySegment1 additionalAuthenticatedData)
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[] protectedData, Boolean allowOperationsOnRevokedKeys, UnprotectStatus& status)
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect(Byte[] protectedData)
at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgeryTokenSerializer.Deserialize(String serializedToken)

The ASP.NET app is configured to use Microsoft.AspNetCore.DataProtection.SystemWeb

	<!--

If you want to customize the behavior of the ASP.NET Core Data Protection stack, set the
"aspnet:dataProtectionStartupType" switch below to be the fully-qualified name of a
type which subclasses Microsoft.AspNetCore.DataProtection.SystemWeb.DataProtectionStartup.
-->

[amcasey]

This sounds very similar to #39958.

[amcasey]

Closing as a dup, pending new information.

[enkelmedia]

Might be related to this: umbraco/Umbraco-CMS#16107