Blazor antiforgery token issue when posting form (SSR) when user is logged in

[sikora507]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

When I log in a user using cookies, then when I want to post a form using server side rendering, I get this error page with the following text only:

A valid antiforgery token was not provided with the request. Add an antiforgery token, or disable antiforgery validation for this endpoint.

I've isolated the issue and made an example demo application that shows the problem:
https://github.com/sikora507/blazor-form-submission-bug

I've made a simple blazor page with simple form that I want to post using SSR, and as you can see, I am not logged in, and I am able to submit a form, and it's content is displayed below. There is no issue yet.

However, when I log in and want to post the same form:

When I press the Submit button, I'll get this page:

For logging in, I am using Razor Pages (Login.cshtml and Logout.cshtml)
I am doing so, because in my real-world scenario, I want to login using Google and the issue is the same.

This is my actual code that signs in using Google. I need to support a Challenge to Google and a Callback where I sign in the user.

I've isolated the issue by mocking the logging process and calling HttpContext.SignInAsync with pre-made user:
https://github.com/sikora507/blazor-form-submission-bug/blob/4b4c0341fe5089b0ecbe83e5a5d6a44783815d53/FormTest/Pages/Login.cshtml.cs#L24C1-L34C29
But the outcome is the same, there's some weird behavior with Blazor's SSR form handling.

I might be wrong, but I was not able to mitigate this issue, I'd be also happy if someome could prove my mistake and show me how it's suppose to be done.

Expected Behavior

There should be no antiforgery token issue after posting a SSR form in Blazor, when user is logged in.

Steps To Reproduce

1. Download and run repo that isolates the issue:
   https://github.com/sikora507/blazor-form-submission-bug

It was generated using dotnet new blazor command

• a page with form was added
• a razor page for signing a dummy user was made

2. Click Login link
   ,
3. Click
   ,
4. Try to submit the form on Form test page
   

You will get the error

A valid antiforgery token was not provided with the request. Add an antiforgery token, or disable antiforgery validation for this endpoint.

This issue does not occur when user is logged out. (Try logging out and submit the form again, it will work)

Exceptions (if any)

There is a bad request error in console:

Caused by blazor.web.js

.NET Version

8.0.100-preview.7.23376.3

Anything else?

No response

[dmm-l-mediehus]

If you haven't yet, take a look at Blazor .NET 8 Preview 7 antiforgery new requirement: .NET 8 Preview 7 Blog
Try adding this to your FormTest.razor:

@using Microsoft.AspNetCore.Antiforgery;
@attribute [RequireAntiforgeryToken]

[sikora507]

I've just tried adding it, but still no difference. When I use cookies for authentication, SSR form submission seems to be broken. I've added a commit to my repo with your proposed changes too.

[dmm-l-mediehus]

Did you also add in app program.cs?:
app.UseAntiforgery();
between app.UseRouting() and the app.MapRazorComponents()

[sikora507]

With, or without it, the output is the same, you can check for yourself.
When I'm logged out, the token is also there and it works:

Something is not right when I'm logged in.
There's this cookie in request headers when I'm logged out and i am submitting the form:

And this one when I'm logged in and submitting the form:

Maybe there's a problem how this is being parsed during antiforgery check or something

[dmm-l-mediehus]

Sorry for not including everything but again, try adding AnitForgeryToken-component to the bottom of your form, before the closing tag:

Otherwise im out of ideas.

Edit: ignore this, I thought your first image was the code source, but it's the F12. You're using EditForm so no need for the AntiForgeryToken-component.

[matthew-minish]

I was running into the same issue and fixed it by adding app.UseAntiforgery() between calls to app.UseAuthorization() and app.MapRazorComponents() in program.cs. Not having the call to UseAntiforgery() at all, or having it placed before the UseAuth... calls was causing the issue.

I cloned the example project given in the original issue description and was able to resolve the problem using this fix.

[javiercn]

This is caused by the implicit antiforgery middleware, you can use app.UseAntiforgery() after app.UseAuthentication() to workaround it. We are going to use #50818 to track it