The antiforgery token could not be decrypted - Only for specific user

[weirdyang]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

An exception was thrown while deserializing the token.
Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException: The antiforgery token could not be decrypted.
---> System.Security.Cryptography.CryptographicException: The key {669d513e-a172-4851-b160-04b523abbc1e} was not found in the key ring.
   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[] protectedData, Boolean allowOperationsOnRevokedKeys, UnprotectStatus& status)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.DangerousUnprotect(Byte[] protectedData, Boolean ignoreRevocationErrors, Boolean& requiresMigration, Boolean& wasRevoked)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect(Byte[] protectedData)
   at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgeryTokenSerializer.Deserialize(String serializedToken)
   --- End of inner exception stack trace ---
   at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgeryTokenSerializer.Deserialize(String serializedToken)
   at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery.GetCookieTokenDoesNotThrow(HttpContext httpContext)

We insert an anti-forgery token into the form using @Html.AntiForgeryToken() and validate the request using the [ValidateAntiForgeryToken], however we occasionally get the error above when one user tries to submit.

How is the key generated? Why does the user affect the generation of the token?

Expected Behavior

When user submit a form, the request token is valid and the user request is accepted.

Steps To Reproduce

1. Create a cshtml page
2. Include an antiforgery token in the form using @Html.AntiForgeryToken()
3. Annotate the controller method with [ValidateAntiForgeryToken]
4. Make a post request with the token

Exceptions (if any)

An exception was thrown while deserializing the token.
Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException: The antiforgery token could not be decrypted.

.NET Version

netcoreapp3.1

Anything else?

We have tried this with different users, different devices and different browsers.

Only this user has the issue, and it is correlated with the logs' timestamp.

I've checked the source code, and was wondering could it be due to special characters in the user name?

https://github.com/dotnet/aspnetcore/blob/main/src/Antiforgery/src/Internal/DefaultAntiforgeryTokenGenerator.cs
No response

[amcasey]

I've checked the source code, and was wondering could it be due to special characters in the user name?

I suppose it's not impossible - are you able to share the user's name? Or maybe just the non-ASCII characters in it? Or what sort of non-ASCII characters it contains (Latin with accents? Japanese? emoji?)?

it is correlated with the logs' timestamp

I wasn't sure quite what you meant by this. I think maybe the user is seeing some sort of failure in their browser and when you look for failures in the log at the corresponding time, this is the stack you see?

Some boilerplate questions:

1. What is your hosting environment? IIS? Kestrel? Azure? A container of some sort?
2. Do you have multiple instances running?

[NitinSinghSF]

We are having this same error running aspnet core web api 6.0 on AWS ECS

[ChadEQ]

I had the same issue in asp.net 7.0 on windows/IIS. One instance. And no special characters in the user name.

[weirdyang]

I've checked the source code, and was wondering could it be due to special characters in the user name?

I suppose it's not impossible - are you able to share the user's name? Or maybe just the non-ASCII characters in it? Or what sort of non-ASCII characters it contains (Latin with accents? Japanese? emoji?)?

it is correlated with the logs' timestamp

I wasn't sure quite what you meant by this. I think maybe the user is seeing some sort of failure in their browser and when you look for failures in the log at the corresponding time, this is the stack you see?

Some boilerplate questions:

1. What is your hosting environment? IIS? Kestrel? Azure? A container of some sort?

2. Do you have multiple instances running?

Hi,

It doesn't contain any special characters or ascii.

Yes, I had the user share their screen, trigger the error and check the logs to ensure it's that error preventing them from submitting a form.

No, I do not have multiple instances running.

[amcasey]

@weirdyang If you're in contact with the user, it might be interesting to ask them to try again after clearing their cookies.

@weirdyang @NitinSinghSF @ChadEQ How is your key ring stored? Is it a file on disk? A blob in Azure Storage?

[amcasey]

Does anyone have a log including namespace Microsoft.AspNetCore.DataProtection, ideally at the Trace level?

[weirdyang]

Hi We have tried the following: 1. Private browsing session 2. Clearing cookies and cache 3. On an iPad and iPhone 4. On an android phone 5. On another user’s laptop We still run into the same error.

…

On Wed, 15 Nov 2023 at 8:34 AM, Andrew Casey ***@***.***> wrote: @weirdyang <https://github.com/weirdyang> If you're in contact with the user, it might be interesting to ask them to try again after clearing their cookies. @weirdyang <https://github.com/weirdyang> @NitinSinghSF <https://github.com/NitinSinghSF> @ChadEQ <https://github.com/ChadEQ> How is your key ring stored? Is it a file on disk? A blob in Azure Storage? — Reply to this email directly, view it on GitHub <#47185 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AGDEEVXX32FPULLO3FNWH5TYEQEXRAVCNFSM6AAAAAAV2DUB7GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMJRGYYTEMRQHA> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[amcasey]

@weirdyang To confirm, this happens on every form submission from this user?

@NitinSinghSF @ChadEQ Are you seeing the same? There are multiple ways this error could arise.

[amcasey]

All sorts of default behaviors are overridable, e.g. with AntiforgeryOptions, but it's not immediately obvious to me how the user's name/ID could be incorporated into the anti-forgery token or the data protection key.

Edit: it's in the anti-forgery token, which might explain why the problem follows the user. Maybe something about the way the user is encoded in the token breaks deserialization so that a bad data protection key ID is retrieved?

[amcasey]

I'm assuming no one has a repro project they're able to share?

[amcasey]

Just for the record, I suppose I should mention that netcoreapp3.1 is out of support and wouldn't be patched if that ended up being the fix. I'm tentatively operating on the assumption that @NitinSinghSF and @ChadEQ are seeing the same exception in 6.0 and 7.0, but it would be nice if they could confirm that they're seeing the same symptoms - the problem follows particular users across devices / cookie wipes.