Open Closed

Error authenticating the login page. #10356

User avatar
0
dvillena.cp created

Hi, we’re finding that users often get a 400 error message when they try to authenticate.

I’ve checked the logs and this is what I see:

2026-01-27 12:51:57.800 +01:00 [ERR] [] [] An unhandled exception has occurred while executing the request. System.Exception: An error was encountered while handling the remote login. ---> System.Exception: Unable to unprotect the message.State. --- End of inner exception stack trace --- at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync() at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context) at Volo.Abp.AspNetCore.Security.AbpSecurityHeadersMiddleware.InvokeAsync(HttpContext context, RequestDelegate next) at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.<>c__DisplayClass6_1.<

What solution would you suggest in this case? Best regards

Go to accepted answer
60 Answer(s)
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    I checked. The 400 error happened in the auth server project(https://extranetidentity-dev.cincaporc.com/)

    Could you share the debug logs for https://extranetidentity-dev.cincaporc.com website?

    Thanks.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    You can try disabling the AntiforgeryToken for the login page in the authserver project.

    context.Services.AddRazorPages(options =>
{
    options.Conventions.AddPageApplicationModelConvention("/Account/Login", model =>
    {
        model.Filters.Add(new IgnoreAntiforgeryTokenAttribute());
    });
});

  • User Avatar
    0
    dvillena.cp created

    Hello, How’s it going?

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Can you try:

  • User Avatar
    0
    dvillena.cp created

    [maliming] said: You can try disabling the AntiforgeryToken for the login page in the authserver project.

    context.Services.AddRazorPages(options => 
{ 
    options.Conventions.AddPageApplicationModelConvention("/Account/Login", model => 
    { 
        model.Filters.Add(new IgnoreAntiforgeryTokenAttribute()); 
    }); 
});

    About that, which part is it exactly? I can’t find where we have that code. And regarding the logs, do you want me to send you the logs after you tested it with Identity?

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Add the code to your authserver project. I think the issue will be fixed, so no need share logs. : )

    public override void ConfigureServices(ServiceConfigurationContext context)
{
    context.Services.AddRazorPages(options => 
    { 
        options.Conventions.AddPageApplicationModelConvention("/Account/Login", model => 
        { 
            model.Filters.Add(new IgnoreAntiforgeryTokenAttribute()); 
        }); 
    }); 
}
  • User Avatar
    0
    dvillena.cp created

    Hi, it looks good. I’ve been testing it and it’s working. I’ll deploy the code to the prod environment tomorrow and test it to make sure everything works fine. Should we leave what we did earlier as it is, or should I remove it and keep only this line of code?

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    You only need the code below in authserver project

    public override void ConfigureServices(ServiceConfigurationContext context)
{
    context.Services.AddRazorPages(options => 
    { 
        options.Conventions.AddPageApplicationModelConvention("/Account/Login", model => 
        { 
            model.Filters.Add(new IgnoreAntiforgeryTokenAttribute()); 
        }); 
    }); 
}

    and code below in your web and web.public

    var cookieLifetime = TimeSpan.FromMinutes(60);
options.RemoteAuthenticationTimeout = cookieLifetime;
options.CorrelationCookie.Expiration = cookieLifetime;
options.NonceCookie.Expiration = cookieLifetime;

options.ProtocolValidator.NonceLifetime = cookieLifetime;

    Thanks.

  • User Avatar
    0
    dvillena.cp created

    Hi, It seems we’re still having the same issue because a user logged in and got the 400 error immediately. I’ve sent you the Identity logs from the moment the error occurred.

    2026-02-18 08:10:38.303 +01:00 [WRN] Ldap login feature is not enabled!
2026-02-18 08:10:38.304 +01:00 [WRN] OAuth login feature is not enabled!
2026-02-18 08:10:38.397 +01:00 [INF] Executed action method Volo.Abp.OpenIddict.Controllers.TokenController.HandleAsync (Volo.Abp.OpenIddict.AspNetCore), returned result Microsoft.AspNetCore.Mvc.SignInResult in 94.5037ms.
2026-02-18 08:10:38.398 +01:00 [INF] Executing SignInResult with authentication scheme (OpenIddict.Server.AspNetCore) and the following principal: System.Security.Claims.ClaimsPrincipal.
2026-02-18 08:10:38.414 +01:00 [INF] Executed action Volo.Abp.OpenIddict.Controllers.TokenController.HandleAsync (Volo.Abp.OpenIddict.AspNetCore) in 112.8529ms
2026-02-18 08:10:38.415 +01:00 [INF] Executed endpoint 'Volo.Abp.OpenIddict.Controllers.TokenController.HandleAsync (Volo.Abp.OpenIddict.AspNetCore)'
2026-02-18 08:10:38.433 +01:00 [INF] Request finished HTTP/1.1 POST https://extranetidentity.cincaporc.com/connect/token application/x-www-form-urlencoded 123 - 200 1548 application/json;charset=UTF-8 147.8813ms
2026-02-18 08:10:57.750 +01:00 [INF] Request starting HTTP/1.1 POST https://extranetidentity.cincaporc.com/connect/introspect application/x-www-form-urlencoded 1673
2026-02-18 08:10:57.763 +01:00 [INF] Request finished HTTP/1.1 POST https://extranetidentity.cincaporc.com/connect/introspect application/x-www-form-urlencoded 1673 - 200 302 application/json;charset=UTF-8 13.0180ms
2026-02-18 08:10:57.938 +01:00 [INF] Request starting HTTP/1.1 POST https://extranetidentity.cincaporc.com/connect/introspect application/x-www-form-urlencoded 1673
2026-02-18 08:10:57.944 +01:00 [INF] Request starting HTTP/1.1 POST https://extranetidentity.cincaporc.com/connect/introspect application/x-www-form-urlencoded 1673
2026-02-18 08:10:57.946 +01:00 [INF] Request starting HTTP/1.1 POST https://extranetidentity.cincaporc.com/connect/introspect application/x-www-form-urlencoded 1673
2026-02-18 08:10:57.955 +01:00 [INF] Request finished HTTP/1.1 POST https://extranetidentity.cincaporc.com/connect/introspect application/x-www-form-urlencoded 1673 - 200 302 application/json;charset=UTF-8 17.2025ms
2026-02-18 08:10:57.956 +01:00 [INF] Request finished HTTP/1.1 POST https://extranetidentity.cincaporc.com/connect/introspect application/x-www-form-urlencoded 1673 - 200 302 application/json;charset=UTF-8 12.7770ms
2026-02-18 08:10:57.963 +01:00 [INF] Request finished HTTP/1.1 POST https://extranetidentity.cincaporc.com/connect/introspect application/x-www-form-urlencoded 1673 - 200 302 application/json;charset=UTF-8 16.9383ms
2026-02-18 08:10:58.018 +01:00 [INF] Request starting HTTP/1.1 GET https://extranetidentity.cincaporc.com/api/account/profile-picture-file/160cb32b-0828-695f-edc4-3a08d7705fcb?api-version=1.0 - -
2026-02-18 08:10:58.019 +01:00 [INF] Executing endpoint 'Volo.Abp.Account.AccountController.GetProfilePictureFileAsync (Volo.Abp.Account.Pro.Public.HttpApi)'
2026-02-18 08:10:58.019 +01:00 [INF] Route matched with {area = "account", action = "GetProfilePictureFile", controller = "Account", page = ""}. Executing controller action with signature System.Threading.Tasks.Task`1[Volo.Abp.Content.IRemoteStreamContent] GetProfilePictureFileAsync(System.Guid) on controller Volo.Abp.Account.AccountController (Volo.Abp.Account.Pro.Public.HttpApi).
2026-02-18 08:10:58.022 +01:00 [INF] Executing action method Volo.Abp.Account.AccountController.GetProfilePictureFileAsync (Volo.Abp.Account.Pro.Public.HttpApi) - Validation state: "Valid"
2026-02-18 08:10:58.023 +01:00 [INF] Executed action method Volo.Abp.Account.AccountController.GetProfilePictureFileAsync (Volo.Abp.Account.Pro.Public.HttpApi), returned result Microsoft.AspNetCore.Mvc.ObjectResult in 0.9072ms.
2026-02-18 08:10:58.024 +01:00 [INF] Executing ObjectResult, writing value of type 'Volo.Abp.Content.RemoteStreamContent'.
2026-02-18 08:10:58.024 +01:00 [INF] Executed action Volo.Abp.Account.AccountController.GetProfilePictureFileAsync (Volo.Abp.Account.Pro.Public.HttpApi) in 4.3813ms
2026-02-18 08:10:58.024 +01:00 [INF] Executed endpoint 'Volo.Abp.Account.AccountController.GetProfilePictureFileAsync (Volo.Abp.Account.Pro.Public.HttpApi)'
2026-02-18 08:10:58.024 +01:00 [INF] Request finished HTTP/1.1 GET https://extranetidentity.cincaporc.com/api/account/profile-picture-file/160cb32b-0828-695f-edc4-3a08d7705fcb?api-version=1.0 - - - 200 2939 image/jpeg 6.5757ms
2026-02-18 08:10:58.188 +01:00 [INF] Request starting HTTP/1.1 POST https://extranetidentity.cincaporc.com/connect/introspect application/x-www-form-urlencoded 1673
2026-02-18 08:10:58.201 +01:00 [INF] Request finished HTTP/1.1 POST https://extranetidentity.cincaporc.com/connect/introspect application/x-www-form-urlencoded 1673 - 200 302 application/json;charset=UTF-8 12.8679ms
2026-02-18 08:10:58.420 +01:00 [INF] Request starting HTTP/1.1 POST https://extranetidentity.cincaporc.com/connect/token application/x-www-form-urlencoded 123
2026-02-18 08:10:58.435 +01:00 [INF] Executing endpoint 'Volo.Abp.OpenIddict.Controllers.TokenController.HandleAsync (Volo.Abp.OpenIddict.AspNetCore)'
2026-02-18 08:10:58.435 +01:00 [INF] Route matched with {action = "Handle", controller = "Token", area = "", page = ""}. Executing controller action with signature System.Threading.Tasks.Task`1[Microsoft.AspNetCore.Mvc.IActionResult] HandleAsync() on controller Volo.Abp.OpenIddict.Controllers.TokenController (Volo.Abp.OpenIddict.AspNetCore).
2026-02-18 08:10:58.436 +01:00 [INF] Executing action method Volo.Abp.OpenIddict.Controllers.TokenController.HandleAsync (Volo.Abp.OpenIddict.AspNetCore) - Validation state: "Valid"
2026-02-18 08:10:58.437 +01:00 [WRN] Ldap login feature is not enabled!
2026-02-18 08:10:58.438 +01:00 [WRN] OAuth login feature is not enabled!
2026-02-18 08:10:58.542 +01:00 [INF] Executed action method Volo.Abp.OpenIddict.Controllers.TokenController.HandleAsync (Volo.Abp.OpenIddict.AspNetCore), returned result Microsoft.AspNetCore.Mvc.SignInResult in 105.92ms.
2026-02-18 08:10:58.543 +01:00 [INF] Executing SignInResult with authentication scheme (OpenIddict.Server.AspNetCore) and the following principal: System.Security.Claims.ClaimsPrincipal.
2026-02-18 08:10:58.559 +01:00 [INF] Executed action Volo.Abp.OpenIddict.Controllers.TokenController.HandleAsync (Volo.Abp.OpenIddict.AspNetCore) in 123.946ms
2026-02-18 08:10:58.559 +01:00 [INF] Executed endpoint 'Volo.Abp.OpenIddict.Controllers.TokenController.HandleAsync (Volo.Abp.OpenIddict.AspNetCore)'
2026-02-18 08:10:58.572 +01:00 [INF] Request finished HTTP/1.1 POST https://extranetidentity.cincaporc.com/connect/token application/x-www-form-urlencoded 123 - 200 1548 application/json;charset=UTF-8 152.3619ms
2026-02-18 08:10:58.652 +01:00 [INF] Request starting HTTP/1.1 POST https://extranetidentity.cincaporc.com/connect/token application/x-www-form-urlencoded 123
2026-02-18 08:10:58.668 +01:00 [INF] Executing endpoint 'Volo.Abp.OpenIddict.Controllers.TokenController.HandleAsync (Volo.Abp.OpenIddict.AspNetCore)'
2026-02-18 08:10:58.668 +01:00 [INF] Route matched with {action = "Handle", controller = "Token", area = "", page = ""}. Executing controller action with signature System.Threading.Tasks.Task`1[Microsoft.AspNetCore.Mvc.IActionResult] HandleAsync() on controller Volo.Abp.OpenIddict.Controllers.TokenController (Volo.Abp.OpenIddict.AspNetCore).
2026-02-18 08:10:58.669 +01:00 [INF] Executing action method Volo.Abp.OpenIddict.Controllers.TokenController.HandleAsync (Volo.Abp.OpenIddict.AspNetCore) - Validation state: "Valid"
2026-02-18 08:10:58.670 +01:00 [WRN] Ldap login feature is not enabled!
2026-02-18 08:10:58.671 +01:00 [WRN] OAuth login feature is not enabled!
2026-02-18 08:10:58.764 +01:00 [INF] Executed action method Volo.Abp.OpenIddict.Controllers.TokenController.HandleAsync (Volo.Abp.OpenIddict.AspNetCore), returned result Microsoft.AspNetCore.Mvc.SignInResult in 94.95ms.
2026-02-18 08:10:58.765 +01:00 [INF] Executing SignInResult with authentication scheme (OpenIddict.Server.AspNetCore) and the following principal: System.Security.Claims.ClaimsPrincipal.
2026-02-18 08:10:58.776 +01:00 [INF] Request starting HTTP/1.1 POST https://extranetidentity.cincaporc.com/connect/token application/x-www-form-urlencoded 123
2026-02-18 08:10:58.783 +01:00 [INF] Executed action Volo.Abp.OpenIddict.Controllers.TokenController.HandleAsync (Volo.Abp.OpenIddict.AspNetCore) in 114.2755ms
2026-02-18 08:10:58.783 +01:00 [INF] Executed endpoint 'Volo.Abp.OpenIddict.Controllers.TokenController.HandleAsync (Volo.Abp.OpenIddict.AspNetCore)'
2026-02-18 08:10:58.791 +01:00 [INF] Executing endpoint 'Volo.Abp.OpenIddict.Controllers.TokenController.HandleAsync (Volo.Abp.OpenIddict.AspNetCore)'
2026-02-18 08:10:58.792 +01:00 [INF] Route matched with {action = "Handle", controller = "Token", area = "", page = ""}. Executing controller action with signature System.Threading.Tasks.Task`1[Microsoft.AspNetCore.Mvc.IActionResult] HandleAsync() on controller Volo.Abp.OpenIddict.Controllers.TokenController (Volo.Abp.OpenIddict.AspNetCore).
2026-02-18 08:10:58.792 +01:00 [INF] Executing action method Volo.Abp.OpenIddict.Controllers.TokenController.HandleAsync (Volo.Abp.OpenIddict.AspNetCore) - Validation state: "Valid"
2026-02-18 08:10:58.793 +01:00 [WRN] Ldap login feature is not enabled!
2026-02-18 08:10:58.794 +01:00 [WRN] OAuth login feature is not enabled!
2026-02-18 08:10:58.796 +01:00 [INF] Request finished HTTP/1.1 POST https://extranetidentity.cincaporc.com/connect/token application/x-www-form-urlencoded 123 - 200 1548 application/json;charset=UTF-8 144.2937ms
2026-02-18 08:10:58.883 +01:00 [INF] Executed action method Volo.Abp.OpenIddict.Controllers.TokenController.HandleAsync (Volo.Abp.OpenIddict.AspNetCore), returned result Microsoft.AspNetCore.Mvc.SignInResult in 91.3788ms.
2026-02-18 08:10:58.884 +01:00 [INF] Executing SignInResult with authentication scheme (OpenIddict.Server.AspNetCore) and the following principal: System.Security.Claims.ClaimsPrincipal.
2026-02-18 08:10:58.902 +01:00 [INF] Executed action Volo.Abp.OpenIddict.Controllers.TokenController.HandleAsync (Volo.Abp.OpenIddict.AspNetCore) in 110.2148ms
2026-02-18 08:10:58.902 +01:00 [INF] Executed endpoint 'Volo.Abp.OpenIddict.Controllers.TokenController.HandleAsync (Volo.Abp.OpenIddict.AspNetCore)'
2026-02-18 08:10:58.915 +01:00 [INF] Request finished HTTP/1.1 POST https://extranetidentity.cincaporc.com/connect/token application/x-www-form-urlencoded 123 - 200 1548 application/json;charset=UTF-8 139.6083ms
2026-02-18 08:11:16.761 +01:00 [INF] Request starting HTTP/1.1 POST https://extranetidentity.cincaporc.com/connect/introspect application/x-www-form-urlencoded 1673
2026-02-18 08:11:16.774 +01:00 [INF] Request finished HTTP/1.1 POST https://extranetidentity.cincaporc.com/connect/introspect application/x-www-form-urlencoded 1673 - 200 302 application/json;charset=UTF-8 13.7022ms
2026-02-18 08:11:20.037 +01:00 [INF] Request starting HTTP/1.1 GET https://extranetidentity.azurewebsites.net/health - -
2026-02-18 08:11:20.039 +01:00 [INF] Executing endpoint 'HTTP: GET /health'
2026-02-18 08:11:20.039 +01:00 [INF] Writing value of type 'System.String' with status code '200
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    There is no 400 error. Can you share the full logs.txt file of web and authserver to liming.ma@volosoft.com

    Thanks.,

Assignee
User avatar maliming
Question details
Labels
None yet
Boost Your Development
ABP Live Training
Packages
See Trainings
Mastering ABP Framework Book
The Official Guide
Mastering
ABP Framework
Learn More
Mastering ABP Framework Book
Made with ❤️ on ABP v10.3.0-preview. Updated on March 13, 2026, 12:51
1
ABP Assistant
🔐 You need to be logged in to use the chatbot. Please log in first.