K
Q

Kubernetes + Redis: The antiforgery token could not be decrypted

11/13/2019

I am making use of a Redis database for Data Protection on .net core 3.0 on Kubernetes, but still get the below error. Any ideas?

fail: Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery[7] An exception was thrown while deserializing the token. Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException: The antiforgery token could not be decrypted. ---> System.Security.Cryptography.CryptographicException: The key {ffb146a1-0e5e-4f96-8566-425f7c2eb99a} was not found in the key ring. at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[] protectedData, Boolean allowOperationsOnRevokedKeys, UnprotectStatus& status) at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.DangerousUnprotect(Byte[] protectedData, Boolean ignoreRevocationErrors, Boolean& requiresMigration, Boolean& wasRevoked) at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect(Byte[] protectedData) at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgeryTokenSerializer.Deserialize(String serializedToken) --- End of inner exception stack trace --- at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgeryTokenSerializer.Deserialize(String serializedToken) at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery.GetCookieTokenDoesNotThrow(HttpContext httpContext)

var redis = ConnectionMultiplexer.Connect(Environment.GetEnvironmentVariable("REDIS_CONNSTR"));
services.AddDataProtection().PersistKeysToStackExchangeRedis(redis, "DataProtection-Keys");
services.AddMvc(options =>
{
    options.Filters.Add(new AutoValidateAntiforgeryTokenAttribute());
});
-- Anton Swanevelder
antiforgerytoken
asp.net-core
c#
kubernetes

Similar Questions

Kubectl Java client returns exit code 3 when using exec
How can I access the Openshift service through ClusterIP from nodes
How to create proxy on 3 Kubernetes services
can two web services be hosted in a kubernetes pod?
creating a service endpoint for a service in eks
Why calico missing some nodes peer address in Kubernetes?

1 Answer

11/14/2019

According to the documentation in the below article the application name needs to be set.

services.AddDataProtection()
    .PersistKeysToStackExchangeRedis(redis, "DataProtection-Keys")
    .SetApplicationName("product");

By default, the Data Protection system isolates apps from one another based on their content root paths, even if they're sharing the same physical key repository. This prevents the apps from understanding each other's protected payloads.

To share protected payloads among apps:

  • Configure SetApplicationName in each app with the same value.

https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview?view=aspnetcore-3.0

Just a further note on this. If you get a 400 Bad Request and are using an API in the same solution then I would suggest having a look at the IgnoreAntiforgeryToken Attribute to decorate methods where CSRF does not apply.

[HttpPost]
[IgnoreAntiforgeryToken]
-- Anton Swanevelder
Source: StackOverflow