Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

AntiforgeryValidationException preventing Blazor Server Side app to start

See original GitHub issue

Describe the bug

After IIS restart, when I visit localhost/someblazorroute/ I start getting following error image and from that point I’m stuck (regardless of user and regardless route visited).

However, when I visit the root page localhost/ first I’m redirected to login page and everything works as expe

To Reproduce

use endpoints.MapBlazorHub().RequireAuthorization(); and cookie authentication, deploy to IIS using release configuration, restart IIS and visit localhost/counter.

    public void ConfigureServices(IServiceCollection services)
    {
        services.Configure<IISServerOptions>(options => options.AutomaticAuthentication = false);
        services.AddServerSideBlazor();

        services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
            .AddCookie(options =>
            {
                options.LoginPath = "/Auth/Login";
                options.LogoutPath = "/Auth/Logout";
            });
    }

    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
    {
        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
        }
        else
        {
            app.UseExceptionHandler("/Error");
            // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
            app.UseHsts();
        }

        app.UseRequestLocalization(new RequestLocalizationOptions
        {
            DefaultRequestCulture = new Microsoft.AspNetCore.Localization.RequestCulture(CultureInfo.InvariantCulture.Name, "sk")
        });


        app.UseHttpsRedirection();
        app.UseStaticFiles();

        app.UseRouting();

        app.UseAuthentication();
        app.UseAuthorization();

        app.UseEndpoints(endpoints =>
        {
            endpoints.MapRazorPages().RequireAuthorization();
            endpoints.MapBlazorHub().RequireAuthorization();
            endpoints.MapFallbackToPage("/_Host");
        });
    }

Exceptions (if any)

warn: Microsoft.AspNetCore.DataProtection.Repositories.EphemeralXmlRepository[50]
      Using an in-memory repository. Keys will not be persisted to storage.
warn: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[59]
      Neither user profile nor HKLM registry available. Using an ephemeral key repository. Protected data will be unavailable when application exits.
warn: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[35]
      No XML encryptor configured. Key {907560ad-e64e-4cca-a2db-9f315b87fc5d} may be persisted to storage in unencrypted form.
info: Microsoft.Hosting.Lifetime[0]
      Application started. Press Ctrl+C to shut down.
info: Microsoft.Hosting.Lifetime[0]
      Hosting environment: Development
info: Microsoft.Hosting.Lifetime[0]
      Content root path: C:\inetpub\wwwroot
fail: Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery[7]
      An exception was thrown while deserializing the token.
      Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException: The antiforgery token could not be decrypted.
       ---> System.Security.Cryptography.CryptographicException: The key {1aaa8d08-286b-466d-ad02-c0cb7bb4ac09} was not found in the key ring.
         at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[] protectedData, Boolean allowOperationsOnRevokedKeys, UnprotectStatus& status)
         at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.DangerousUnprotect(Byte[] protectedData, Boolean ignoreRevocationErrors, Boolean& requiresMigration, Boolean& wasRevoked)
         at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect(Byte[] protectedData)
         at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgeryTokenSerializer.Deserialize(String serializedToken)
         --- End of inner exception stack trace ---
         at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgeryTokenSerializer.Deserialize(String serializedToken)
         at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery.GetCookieTokenDoesNotThrow(HttpContext httpContext)

Further technical details

  • ASP.NET Core version 5.0.0

Host (useful for support): Version: 5.0.0 Commit: cf258a14b7

.NET SDKs installed: No SDKs were found.

.NET runtimes installed: Microsoft.AspNetCore.App 5.0.0 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.NETCore.App 5.0.0 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:11 (6 by maintainers)

github_iconTop GitHub Comments

1reaction
Lierocommented, Dec 18, 2020

Yes, I get it and thanks for the scripts, but I still think it’s a bug. A single request with wrong token should not take down the entire application.

How do you explain, that navigating to site root redirects to login page, but navigating to another blazor page first takes the app down and then navigaging to site root returns error even in inprivate/incognito mode?

1reaction
msftbot[bot]commented, Dec 18, 2020

Thanks for contacting us. We’re moving this issue to the Next sprint planning milestone for future evaluation / consideration. We will evaluate the request when we are planning the work for the next milestone. To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.

Read more comments on GitHub >

github_iconTop Results From Across the Web

ASP.NET Core updates in .NET 8 Preview 6
Blazor's new server-side rendering mode can now model bind and validate HTTP form post values. To bind data from a form request, apply...
Read more >
Child Blazor app on Blazor Server side app - asp.net
I have run into a situation where it would be helpful to be able to add a Client side Blazor app to a...
Read more >
Blazor Server Side - IIS - App becomes slow until it will not ...
Stoping and starting is not good solution as we have tl wait until someone have to report it, does anyone know how to...
Read more >
How to Build and Secure Web Applications with Blazor
Learn how to build client-side Web apps using Blazor and how to secure them with Auth0 authentication and authorization features.
Read more >
Using Anti-Forgery Tokens in ASP.NET 5.0 Razor Pages
Let's see how to use anti-forgery tokens and validation to prevent CSRF attacks in our Razor Pages apps!
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Microsoft.AspNetCore.Mvc.NewtonsoftJson: package update info wrong for .NET Core 3.1

Next page

Exception 'GetAuthenticationStateAsync was called before SetAuthenticationState.' thrown when calling AuthenticationStateProvider.GetAuthenticationStateAsync() method