Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Chris Spanellis 45 posts 189 karma points
    Oct 11, 2023 @ 00:32
    Chris Spanellis
    0

    Issues with antiforgery token being decrypted after Azure slot swap

    Hi,

    I am using slot swapping and using the recommended settings (v11.2.0), and everything is working very well except for the AntiforgeryValidationException.

    Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException: The antiforgery token could not be decrypted. ---> System.Security.Cryptography.CryptographicException: The key {NOTSHOWINGACTUALKEYIN_FORUM} was not found in the key ring. For more information go to http://aka.ms/dataprotectionwarning at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[] protectedData, Boolean allowOperationsOnRevokedKeys, UnprotectStatus& status) at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect(Byte[] protectedData) at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgeryTokenSerializer.Deserialize(String serializedToken) --- End of inner exception stack trace --- at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgeryTokenSerializer.Deserialize(String serializedToken) at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery.GetCookieTokenDoesNotThrow(HttpContext httpContext)

    What I've found for possible solutions is to use a data store for the tokens, such as Azure Blob Storage or Redis, which you would do like so:

    services.AddDataProtection().PersistKeysToAzureBlobStorage(...);
    

    Assuming someone doesn't have an existing solution that comes out of the box with Umbraco, where is the right place to call this? I see that in the IUmbracoBuilder call to AddWebsite(), it calls AddDataProtection(), and there's no way to inject yourself in there (and there's even a TODO regarding load balanced setups).

    So would calling it before or after this call work?

    Thanks in advance!

  • Alexander 34 posts 84 karma points
    Nov 28, 2023 @ 22:42
    Alexander
    0

    I have exactly the same problem on version 12.3.3. I also use slot swapping, but I think the problem started to appear after I changed the App Service Plan. How did you fix it?

  • Chris Spanellis 45 posts 189 karma points
    Nov 28, 2023 @ 22:56
    Chris Spanellis
    0

    Well I wouldn't say I "fixed" it, but I think I mitigated it somewhat. I still see errors in the logs on a swap, but I think it's less than before.

    1. Call custom IServiceCollection extension method to AddDataProtection before call to AddUmbraco
    2. Piggy-back on existing Umbraco blob storage settings for connection string
    3. Call AddDataProtection then PersistKeysToAzureBlobStorage

      var blobSection = configuration.GetSection("Umbraco:Storage:AzureBlob:Media");

      AzureBlobFileSystemOptions blobOptions = new();

      blobSection.Bind(blobOptions);

      services .AddDataProtection() .PersistKeysToAzureBlobStorage(blobOptions.ConnectionString, "SomeContainerName", "Someblob.xml");

  • Carl Sargunar 69 posts 91 karma points MVP 3x
    Apr 15, 2024 @ 22:38
    Carl Sargunar
    0

    Hey - has someone else had this problem still? We are seeing this on slot swap in v13, so might need to look to implement something like this

    Has anyone seen similar?

  • Markus Johansson 1924 posts 5831 karma points MVP c-trib
    Apr 19, 2024 @ 08:00
    Markus Johansson
    0

    Hi!

    We've started to notice this issue lately as well, I'm not sure if it has been there for a while and we've only noticed it lately or if this is something new.

    For us it's present in the latest v13 (13.2.2) and I've managed to replicate it on the latest v12 (12.3.9) and in some cases v11 (11.2.1).

    My investigation indicates that there's a problem with how the backoffice creates/validates it's anti forgery tokens. In our case it works well when running the site via Kestrel (dotnet run) and IIS Express, however, the issue shows up in these scenarios:

    • We reycle the App Pool on any v12 or v13 site (not v11)
    • We run the IIS app pool using a custom identity (not ApplicationPoolIdentity), a recycle would trigger the error. This indicates that the fact that we have another identity for app pool means that this identity does not have permission to read/write the keys.
    • We switch between app pools (even when running as default ApplicationPoolIdentity). The only thing we do is switch between two app pools with the same settings.

    We do have the key ring stored on disk like this:

    builder.Services.AddDataProtection()
        .PersistKeysToFileSystem(new DirectoryInfo("\\Temp\\UmbracoKeys\\"))
        .SetApplicationName("UmbracoTestSite")
        .SetDefaultKeyLifetime(TimeSpan.FromDays(90));
    

    I've tested anti-forgery tokens on the front end and they "survive" in all the scenarios above where the backoffice token does not.

    The fact that I've consistently managed to replicate the issue when switching app pools in IIS might indicate that the issue is similar to what is happening when you do slot swap in Azure?

    I need to investigate a little more but it seems like there is something strange around how the backoffice anti-forgery tokens are stored, maybe they ignore the setting from AddDataProtection() which causes the key ring for the anti-forgery token to be stored in memory or some strange place that is dependent on the current app pool.

    I'll create an github issue around this and share my findings.

    EDIT: Issue is not created here: https://github.com/umbraco/Umbraco-CMS/issues/16107

  • Markus Johansson 1924 posts 5831 karma points MVP c-trib
    Apr 19, 2024 @ 11:34
    Markus Johansson
    0

    Update:

    I have found a work around that solves the problem for us:

    https://github.com/umbraco/Umbraco-CMS/issues/16107#issuecomment-2066368483

Please Sign in or register to post replies

Write your reply to:

Draft