C#: Getting 403 even after sending CSRF token using httpclient

Question

I am trying to post a payload to our backend system from my UWP app. For which I am first doing a GET to fetch the CSRF token and then adding that to the header of the POST request. While posting, I am still getting the 403 Forbidden error.

I am cross-testing this with 'Insomnia' REST client by doing a separate GET and POST requests and feeding the CSRF token fetched from the GET to the POST header and it is working just fine.

Getting the token:

public async Task<string> GetCSRF()
{
    using (HttpClient httpClient = new HttpClient())
    {
        httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Basic", Convert.ToBase64String(
            System.Text.Encoding.ASCII.GetBytes(
                    string.Format("{0}:{1}", userName.Text.ToUpper(), SAPpassword.Password))));

        httpClient.DefaultRequestHeaders.Add("X-CSRF-TOKEN", "fetch");
        HttpResponseMessage response = await httpClient.GetAsync(new Uri(_URI));
        response.EnsureSuccessStatusCode();
        if (response.Content == null)
            return null;
        String csrfToken = response.Headers.GetValues("X-CSRF-TOKEN").FirstOrDefault();
        return csrfToken;
    }
}

I received the following header back with the csrf token:

response.Headers
{
    x-csrf-token: w1Id2Kn1r0d6EItk6vEi0g==
    cache-control: no-store, no-cache
    sap-metadata-last-modified: Fri, 01 Sep 2017 10:57:07 GMT
    dataserviceversion: 2.0
    set-cookie: sap-usercontext=sap-client=100; path=/, MYSAPSSO2=AjQxMDMBABhTAFMARQBOAEcAVQBQAFQAQQAgACAAIAACAAYxADAAMAADABBHAFcAMQAgACAAIAAgACAABAAYMgAwADEANwAwADkAMAAxADIAMAA0ADkABQAEAAAACAYAAlgACQACRQD%2fAPswgfgGCSqGSIb3DQEHAqCB6jCB5wIBATELMAkGBSsOAwIaBQAwCwYJKoZIhvcNAQcBMYHHMIHEAgEBMBkwDjEMMAoGA1UEAxMDR1cxAgcgFAMoIAMBMAkGBSsOAwIaBQCgXTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNzA5MDEyMDQ5MzhaMCMGCSqGSIb3DQEJBDEWBBRP7sl8St9p53T9Sfu58sTb3jTNFjAJBgcqhkjOOAQDBC8wLQIVALIiQKECoPjhBihxA7OXoDOEGy3YAhQroXwahnTKR0A7du7u5zwj1Q0cgg%3d%3d; path=/; domain=.mindsetconsulting.com, SAP_SESSIONID_GW1_100=u1BKLug0BNWYM0-zg_JWTBEihxmPVxHnvTMKDkBCwEk%3d; path=/
    access-control-allow-credentials: true
    access-control-allow-headers: *
    access-control-allow-origin: *.google.com
    access-control-allow-methods: *
} System.Net.Http.Headers.HttpResponseHeaders

Posting payload with the token:

public async Task<string> SendChannelToSAP(UserStorage userStorage, string csrf)
{
    string payloadJson;
    string jsonResponse;
    HttpResponseMessage response;
    HttpContent content;

    using (var client = new HttpClient())
    {
        client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(
            "Basic", Convert.ToBase64String(
                System.Text.Encoding.ASCII.GetBytes(
                     string.Format("{0}:{1}", userName.Text.ToUpper(), SAPpassword.Password))));

        payloadJson = JsonConvert.SerializeObject(userStorage);
        content     = new StringContent(payloadJson);
        content.Headers.ContentType = new MediaTypeHeaderValue("application/json");
        client.DefaultRequestHeaders.Add("x-csrf-token", csrf);
        try
        {
            response = await client.PostAsync(_URI, content);
            if (response.IsSuccessStatusCode)
            {
                jsonResponse = await response.Content.ReadAsStringAsync();
                return jsonResponse;
                //do something with json response here                    
            }
            else
            {
                return null;
            }

        }
        catch (Exception e)
        {
            string error = e.GetBaseException().ToString();
            //Could not connect to server
            return null;
        }
    }
}

I am getting the following response

>response   
{
    StatusCode: 403, ReasonPhrase: 'Forbidden', Version: 1.1, Content: System.Net.Http.StreamContent, Headers:
    {
      x-csrf-token: Required
      set-cookie: sap-usercontext=sap-client=100; path=/
      set-cookie: MYSAPSSO2=AjQxMDMBABhTAFMARQBOAEcAVQBQAFQAQQAgACAAIAACAAYxADAAMAADABBHAFcAMQAgACAAIAAgACAABAAYMgAwADEANwAwADkAMAAxADIAMAAzADgABQAEAAAACAYAAlgACQACRQD%2fAPswgfgGCSqGSIb3DQEHAqCB6jCB5wIBATELMAkGBSsOAwIaBQAwCwYJKoZIhvcNAQcBMYHHMIHEAgEBMBkwDjEMMAoGA1UEAxMDR1cxAgcgFAMoIAMBMAkGBSsOAwIaBQCgXTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNzA5MDEyMDM4MTBaMCMGCSqGSIb3DQEJBDEWBBRSJQHrlPcSnxYjzSrqJ%2frOgo%2fg2TAJBgcqhkjOOAQDBC8wLQIUXjXws4bw63uLdWR%21NB9r9XUCD54CFQCH6y91A%21uKMzyfZEo7pvxjXys6zg%3d%3d; path=/; domain=.mindsetconsulting.com
      set-cookie: SAP_SESSIONID_GW1_100=Zvfe5ueHO1md7_ybPcLEcnem3m6PVRHnvP4KDkBCwEk%3d; path=/
      access-control-allow-credentials: true
      access-control-allow-headers: *
      access-control-allow-origin: *.google.com
      access-control-allow-methods: *
      content-length: 28
      content-type: text/plain; charset=utf-8
    }
} System.Net.Http.HttpResponseMessage

Answer 1

I found the issue. I had to collect the cookies along with the csrf token and apply those cookies in the actual POST method. That worked.

Getting the cookies after the GET

var uri = new Uri(_URI);
_responseCookies = cookies.GetCookies(uri).Cast<Cookie>();

And then adding the cookies to the POST

var cookieContainer = new CookieContainer();
foreach (var cookie in _responseCookies)
{
    cookieContainer.Add(new Uri(_URI), cookie);
}
var handler = new HttpClientHandler() { CookieContainer = cookieContainer };