Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to call API with AntiForgeryToken using Postman in IdentityServer ASP.NET Core

Tags:

asp.net-core

asp.net-identity

postman

identityserver4

I'm trying to test my API with Identity Server Asp.net Core using Postman.

This is the way that I'm trying to do:

  1. First request HttpGet to https://localhost:5000/Account/Login and in response body I received: <input name="__RequestVerificationToken" type="hidden" value="CfDJ8MoS9upoM4dNp8Kx-AdvA-uYr13_PAkuMZpzYMV8UmxZq5GdLTvN-Ht5NpTLmPtlhL5d5z2Hu2vUJoJGhk1AMlARDcOwqgq7Cef1dfQL_vl4tIFM4kx9RZPz8DHU26-U9qLnKAIstZgR42-1FuGNh24" />

And in Cookie (not sure for what it is though): enter image description here

  1. Then HttpPost to https://localhost:5000/Account/Login with RequestVerificationToken with token received from body HttpGet request. enter image description here

And always error 400 as you can see at screen shot above.

In Visual studio I can see that some request was catched but clearly was incorrect. enter image description here

If I'll remove attribute [ValidateAntiForgeryToken] then of course everything works fine but obviously because that validation is disabled.

like image 329
DiPix Avatar asked Jun 02 '18 13:06

DiPix

People also ask

What is AntiForgeryToken in asp net core?

In ASP.NET Core, @Html. AntiForgeryToken() is applied for preventing cross-site request forgery (XSRF/CSRF) attacks.

What is the use of HTML AntiForgeryToken ()?

AntiForgeryToken()Generates a hidden form field (anti-forgery token) that is validated when the form is submitted.

What is AntiForgeryToken in Web API?

Adding an AntiForgeryToken generates a Cryptographically valid hash at the server end which is split and a part is added as a hidden field, whereas the rest goes into a cookie. When data is posted, the Cookie and the Hidden Field are both sent back and if they are missing or they don't match, the POST is rejected.

1 Answers

You'd need to do followings to send such a request:

1.) Enter __RequestVerificationToken key value (don't forget double underscores) into x-www-form-urlencoded

2.) You need to add .AspNetCore.Antiforgery cookie to the Cookies section in Postman.

For example like this .AspNetCore.Antiforgery.1XHiLFgQI2w=your cookie value; Path=/; Domain=localhost;Expires=Session;

You can find .AspNetCore.Antiforgery cookie in Application section in Google Developer Tools

.AspNetCore.Antiforgery cookie in Google Developer Tools picture

Add cookie in Postman picture

like image 120
Burhan Savci Avatar answered Oct 25 '22 16:10

Burhan Savci
Sign in to Comment

Related questions

Server Side Blazor Asp.Net Identity SignInAsync error : The response headers cannot be modified
HTTP Error 403.14 - Forbidden asp.net 5 & MVC 6 iis10
Is it possible to pre-warm the app?
Serve Angular spa pathed off the root
ASP.NET Core 2.0 application running in Linux container suffers from locking issues when there are many calls to Trace.WriteLine()
Request.Browser.IsMobileDevice equivalent in ASP.Net Core (2.0)
How to refresh access token
In Serilog, how can I remove empty brackets from JSON formatted log messages when using {Properties} format specifier?
How to use Spatial Data Types in asp.net vnext with EF 7?
What should be stored in source control for an Asp.Net Core MVC application?
What does toolkit_artifact_guid mean in AWS?
Using Azure Active Directory OAuth with Identity Model in ASP.NET Core 2.0

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!