Open Closed

Unable to disable antiforgery in ABP 10.0.3 #10421

User avatar
0
mattw@agilenova.com created

I have tried disabling antiforgery validation to support mobile authentication and am receiving a 400 error during android login indicating that the server is expecting an Antiforgery token:

2026-02-12 21:06:23.245 +00:00 [Information] [Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.AutoValidateAntiforgeryTokenAuthorizationFilter] [{ Id: 1, Name: "AntiforgeryTokenInvalid" }] Antiforgery token validation failed. "The required antiforgery cookie ".AspNetCore.Antiforgery.vybsmWwa-MM" is not present." Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException: The required antiforgery cookie ".AspNetCore.Antiforgery.vybsmWwa-MM" is not present. at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery.ValidateRequestAsync(HttpContext httpContext) at Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.ValidateAntiforgeryTokenAuthorizationFilter.OnAuthorizationAsync(AuthorizationFilterContext context) 2026-02-12 21:06:23.245 +00:00 [Information] [Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker] [{ Id: 3, Name: "AuthorizationFailure" }] Authorization failed for the request at filter '"Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.AutoValidateAntiforgeryTokenAuthorizationFilter"'. 2026-02-12 21:06:23.245 +00:00 [Information] [Microsoft.AspNetCore.Mvc.StatusCodeResult] [{ Id: 1, Name: "HttpStatusCodeResultExecuting" }] Executing StatusCodeResult, setting HTTP status code 400 2026-02-12 21:06:23.245 +00:00 [Information] [Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker] [{ Id: 104, Name: "PageExecuted" }] Executed page "/Account/Login" in 0.4757ms

I currently have this option setting in MyAppHttpApiHostModule.cs's ConfigureServices method: Configure<AbpAntiForgeryOptions>(options => { options.AutoValidate = false; });

I have also tried adding this just below the AutoValidate change: context.Services.Configure<MvcOptions>(mvcOptions => { // CORRECT way to remove filters var filtersToRemove = mvcOptions.Filters .Where(f => f is AutoValidateAntiforgeryTokenAttribute) .ToList();

        foreach (var filter in filtersToRemove)
        {
            mvcOptions.Filters.Remove(filter);
        }
    });

  • Exception message and full stack trace: See above

  • Steps to reproduce the issue: Attempt to login from a flutter app, using flutter_appauth using OIDC authorization code grant. Same error happens for a Maui app.

Go to accepted answer
6 Answer(s)
  • User Avatar
    0
    AI-Bot created
    Support Team ABP Agent

    • Your setting Configure<AbpAntiForgeryOptions>(o => o.AutoValidate = false) disables ABP’s global [AbpAutoValidateAntiforgeryToken] behavior for MVC/API endpoints, but your error is coming from Microsoft’s built-in Razor Pages antiforgery filter: Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.AutoValidateAntiforgeryTokenAuthorizationFilter and the failing endpoint is the Razor Page /Account/Login.

    • In ABP (with the Account module), /Account/Login is a Razor Page and it’s expected to be protected by antiforgery because it is a cookie-based, browser login page. For mobile OIDC (Authorization Code + PKCE), you typically should not POST to /Account/Login from the mobile app at all. The mobile app should start the OIDC authorize flow in a system browser/custom tab, and the browser will handle cookies + antiforgery correctly.

    • If you still want to allow posting to /Account/Login without antiforgery (not recommended), do it specifically for that Razor Page by overriding the login page model and suppressing antiforgery validation.

    Solution

    1. Keep ABP antiforgery enabled (recommended) and don’t call /Account/Login from the mobile app
    • For Flutter/Maui AppAuth you should use:
      • /connect/authorize (system browser)
      • /connect/token (back-channel)
    • Do not automate a form POST to /Account/Login from the app. That endpoint is designed for interactive browser login.
    1. If you must disable antiforgery for /Account/Login, override the Razor Page and ignore antiforgery
    • In your *.HttpApi.Host (or *.Web) project, create:

    Pages/Account/Login.cshtml.cs

    using Microsoft.AspNetCore.Mvc;
using Volo.Abp.Account.Web.Pages.Account;

namespace MyCompany.MyApp.HttpApi.Host.Pages.Account;

[IgnoreAntiforgeryToken] // disables Razor Pages antiforgery validation for this page
public class LoginModel : Volo.Abp.Account.Web.Pages.Account.LoginModel
{
    public LoginModel(
        Microsoft.AspNetCore.Authentication.IAuthenticationSchemeProvider schemeProvider,
        Microsoft.Extensions.Options.IOptions<Volo.Abp.Account.Web.AbpAccountOptions> accountOptions,
        Microsoft.Extensions.Options.IOptions<Microsoft.AspNetCore.Identity.IdentityOptions> identityOptions,
        Volo.Abp.Identity.IdentityDynamicClaimsPrincipalContributorCache contributorCache)
        : base(schemeProvider, accountOptions, identityOptions, contributorCache)
    {
    }
}

    Pages/Account/Login.cshtml

    • Create Pages/Account/Login.cshtml to override the UI (you can copy the original ABP login page markup from the Account module as described in ABP’s “customize login page” approach). The key part for antiforgery is the Login.cshtml.cs with [IgnoreAntiforgeryToken].
    1. Remove your attempt to remove AutoValidateAntiforgeryTokenAttribute from MvcOptions
    • That code targets MVC filters/attributes and won’t reliably remove the Razor Pages antiforgery filter that’s actually rejecting /Account/Login.

    Notes (important for your symptom)

    • ABP’s antiforgery system already bypasses validation for non-browser clients, but your failing request is to a Razor Page login endpoint, which is a browser/cookie flow and therefore expects antiforgery.
    • If your mobile HTTP client is carrying cookies (or behaving like a browser), you can also trigger antiforgery expectations in some flows. But again: mobile should not be posting to /Account/Login in the first place for OIDC.

    Sources

    • https://abp.io/docs/latest/framework/infrastructure/csrf-anti-forgery
    • https://abp.io/support/questions/3338
    • https://abp.io/support/questions/1895

    This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.

  • User Avatar
    0
    mattw@agilenova.com created

    The mobile app is not accessing /Account/Login directly, the mobile app is starting the OIDC authorize flow in a system browser/custom tab. This flow works fine on iOS (with or without antiforgery tokens enabled), but it fails consistently on Android.

  • User Avatar
    0
    AI-Bot created
    Support Team ABP Agent
    • Since your mobile app is using the system browser/custom tab, the 400 on "/Account/Login" with missing ".AspNetCore.Antiforgery.*" cookie is almost always a cookie not being stored/sent back during the login POST inside that browser session.
    • The iOS-vs-Android difference strongly points to a SameSite/Secure cookie policy / HTTP-vs-HTTPS behavior difference (Android Chrome / Custom Tabs tend to be stricter/behave differently than iOS Safari/WebKit in some setups). When the antiforgery cookie is not persisted/sent, the POST to /Account/Login fails exactly like your log.

    Solution

    1. Ensure you are using HTTPS end-to-end for the Authority
    • Make sure the AuthServer:Authority you use in the mobile OIDC config is https://... (not http://...) and the browser is actually hitting HTTPS.
    • If you are testing behind a proxy / ingress, ensure forwarded headers are configured so ASP.NET Core knows the original scheme is HTTPS; otherwise cookies can be emitted without Secure and then dropped/not returned by modern browsers.
    1. Apply a SameSite cookie policy workaround (ABP’s documented approach) Add a SameSite cookie policy to deal with browser incompatibilities, then enable UseCookiePolicy() early.

    In your *.Web (or the host project that serves the /Account/* pages), add:

    ConfigureServices

    context.Services.AddSameSiteCookiePolicy();

    OnApplicationInitialization (before auth middleware that writes cookies)

    app.UseCookiePolicy();

    This is the approach used to fix browser-specific login cookie issues.

    1. Do not try to disable antiforgery for this Your symptom is not “ABP antiforgery is incorrectly enabled for a non-browser client”; it’s “the browser did not return the antiforgery cookie”. Disabling antiforgery just masks the underlying cookie issue and weakens the login endpoint.

    Links (validated)

    • https://abp.io/community/articles/patch-for-chrome-login-issue-identityserver4-samesite-cookie-problem-weypwp3n
    • https://learn.microsoft.com/en-us/aspnet/core/security/samesite?view=aspnetcore-9.0
    • https://abp.io/docs/latest/framework/infrastructure/csrf-anti-forgery
    • https://abp.io/support/questions/9426

    This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Can you add the code below to your authserver project?

    public override void ConfigureServices(ServiceConfigurationContext context)
{
    context.Services.AddRazorPages(options => 
    { 
        options.Conventions.AddPageApplicationModelConvention("/Account/Login", model => 
        { 
            model.Filters.Add(new IgnoreAntiforgeryTokenAttribute()); 
        }); 
    }); 
}

    Thanks.

  • User Avatar
    0
    mattw@agilenova.com created

    Thank you! That worked.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    Great

Assignee
User avatar maliming
Question details
Labels
None yet
Boost Your Development
ABP Live Training
Packages
See Trainings
Mastering ABP Framework Book
The Official Guide
Mastering
ABP Framework
Learn More
Mastering ABP Framework Book
Made with ❤️ on ABP v10.2.0-preview. Updated on February 17, 2026, 09:10
1
ABP Assistant
🔐 You need to be logged in to use the chatbot. Please log in first.