AntiForgery token validation failed using 2FA flow

[apetrut]

I am using Duende IdentityServer v7.0.5 in a web app (Angular) that uses BFF and STS services. After I perform a login using the 2FA flow then a logout and another login right after, I get the error below after I type the username/password (before the 2FA step):

After many attempts to fix this, I noticed that if I disable the [ValidateAntiForgeryToken] from the POST Login endpoint the error no longer appears. Insted, I kept the same [ValidateAntiForgeryToken] attribute on the 2FA endpoint.

I suspect this is the expected behavior since the full Identity cookie is not issued until the 2FA step is finished. Before we had 2FA enabled, the full Identity cookie was issued right after the POST Login endpoint and this was the place where the antiforgery cookie was generated as well.

Currently the login endpoints look like this:

[HttpPost]
[AllowAnonymous]
//[ValidateAntiForgeryToken]
public async Task<IActionResult> Login(LoginInputModel model, string button)

and

[HttpGet]
[AllowAnonymous]
public async Task<IActionResult> LoginWith2fa(bool rememberMe, string returnUrl = null)

and

[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task<IActionResult> LoginWith2fa(LoginWith2faViewModel model)

Is there another approach to this scenario or is this solution sufficient?

Thanks.

[AndersAbel]

It should be possible to have antiforgery tokens enabled on both post actions.

The antiforgery tokens an ASP.NET Core are bound to the current user. If you have indeed logged out and then visit the login page again, the anti forgery token generated for that login page should be bound to the now anonymous session. When testing this, are you running everything in the same browser tab, or do you do them in parallel in different tabs? The reason I'm asking is because if the login form is rendered before the logout is completed, the token will be bound to the session that is about to be logged out.

Could you also please share some more information on how the 2FA login is implemented? Is this the ASP.NET Identity model with a separate cookie scheme for supporting 2FA?

[apetrut]

Yes, I am running in the same browser tab. Login -> Logout -> Login back again. I also have a FE app (Angular) and a BFF service sitting inside a k8s cluster. Duende services (STS, Admin and Admin api) run inside App Services.
The FE app has a middleware which redirects users when an endpoint from the back-end fails (i.e. returns 401). The code for the middleware is here:

intercept(request: HttpRequest<any>, next: HttpHandler): Observable<HttpEvent<any>> {
    return next.handle(request).pipe(catchError(err => {
      if ([401, 403].includes(err.status)) {
        const currentUser = this.auth.getUser();
        // auto logout if 401 or 403 response returned from api
        if (currentUser) {
          this.toastrService.warning('Session expired. Please log in again.');
          this.auth.logout();
        } else {
          localStorage.removeItem('user');
          localStorage.removeItem('tenant');
          localStorage.removeItem('permissions');
          this.deleteCookie('__Host-spa-ef');
          window.location.replace(`/bff/logout`);
        }
      }

      const error = err.error.message || err.statusText;
      console.error(err);
      return throwError(() => error);
    }));
  }

In the BFF service I have this setup for OIDC flow:

builder
    .Services
    .AddReverseProxy()
    .LoadFromConfig(builder.Configuration.GetSection("ReverseProxy"))
    .AddBffExtensions()

and also:

builder.Services.AddAuthentication(options =>
{
    options.DefaultScheme = "cookie";
    options.DefaultChallengeScheme = "oidc";
    options.DefaultSignOutScheme = "oidc";
})
    // Cookie flow
    .AddCookie("cookie", options =>
    {
        // host prefixed cookie name
        options.Cookie.Name = "__Host-spa-ef";
        options.ExpireTimeSpan = TimeSpan.FromMinutes(cookieTimeout);
        options.SlidingExpiration = true;
        options.Cookie.SameSite = SameSiteMode.None;
	})
     // Add JWT Bearer scheme
     .AddJwtBearer(options =>
     {
         options.Authority = settings.Authority;
         options.TokenValidationParameters.ValidateAudience = false;

         // it's recommended to check the type header to avoid "JWT confusion" attacks @ Duende
         options.TokenValidationParameters.ValidTypes = ["at+jwt"];
     })
    // OpenID connect w/ cookies for front-end
    .AddOpenIdConnect("oidc", options =>
    {
        options.Authority = settings.Authority;

        // confidential client using code flow + PKCE
        options.ClientId = "bff-client";
        options.ClientSecret = "secret";

        options.ResponseType = "code";
        options.ResponseMode = "query";

        options.CorrelationCookie.Expiration = TimeSpan.FromMinutes(cookieTimeout);
        options.CorrelationCookie.SecurePolicy = CookieSecurePolicy.Always;
        options.RemoteAuthenticationTimeout = TimeSpan.FromMinutes(cookieTimeout);

        options.SignedOutRedirectUri = settings.FrontEndHost;
        options.SignOutScheme = "oidc";

        options.MapInboundClaims = false;
        options.GetClaimsFromUserInfoEndpoint = true;

        // since we're in AKS we could disable it and mind our own business 

        // test
        if (builder.Environment.IsDevelopment())
            options.RequireHttpsMetadata = false;

        options.SaveTokens = true;

        // request scopes + refresh tokens
        options.Scope.Clear();
        options.Scope.Add("openid");
        options.Scope.Add("email");
        options.Scope.Add("profile");
        options.Scope.Add("webapi");
        //options.Scope.Add("offline_access");
        options.Scope.Add("MyClientId_api");

        options.Events = new Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectEvents()
        {
            OnRemoteFailure = context => OnRemoteFailure(context)
		};
    });

logger.Information("BFF session store type: {type}", builder.Services.FirstOrDefault(s => s.ServiceType == typeof(IUserSessionStore))?.ImplementationType);

Task OnRemoteFailure(RemoteFailureContext context)
{
    logger.Error(context.Failure, $"Remote authentication failed: {context.Failure?.Message} and path: {context.Request.Path}.");

    context.HandleResponse(); // Suppress the default behavior

    context.Response.Redirect(settings.FrontEndHost);

    return Task.CompletedTask;
}

Yes, we have a partial cookie issues after login with username/password until the 2FA flow is completed. Only then the full cookie gets generated. Below is the code from the POST /Account/Login endpoint.

var result = await _signInManager.PasswordSignInAsync(user.UserName, model.Password, model.RememberLogin, lockoutOnFailure: true);

if (result.Succeeded)
{
    return Redirect(model.ReturnUrl ?? "~/");
}

if (result.RequiresTwoFactor)
{
    return RedirectToAction(nameof(LoginWith2fa), new { model.ReturnUrl, RememberMe = model.RememberLogin });
}

if (result.IsLockedOut)
{
    return View("Lockout");
}

if (await _userManager.CheckPasswordAsync(user, model.Password))
{
    if (!await _userManager.GetTwoFactorEnabledAsync(user))
    {
        // redirect them to 2FA setup page
        return RedirectToAction("EnableAuthenticator", "Manage");
    }
}

// If none of the above cases matched, it's an invalid login attempt.
ModelState.AddModelError(string.Empty, "Invalid login attempt.");
_logger.LogWarning("Invalid credentials for user: {username}.", model.Username);

var loginVm = await BuildLoginViewModelAsync(model);
return View(loginVm);

Here I have the code for POST /Account/Login2FA endpoint:

[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task<IActionResult> LoginWith2fa(LoginWith2faViewModel model)
{
    if (!ModelState.IsValid)
    {
        return View(model);
    }

    var user = await _signInManager.GetTwoFactorAuthenticationUserAsync();
    if (user == null)
    {
        throw new InvalidOperationException(_localizer["Unable2FA"]);
    }

    var authenticatorCode = model.TwoFactorCode.Replace(" ", string.Empty).Replace("-", string.Empty);

    var result = await _signInManager.TwoFactorAuthenticatorSignInAsync(authenticatorCode, model.RememberMe, model.RememberMachine);

    if (result.Succeeded)
    {
        await _events.RaiseAsync(new UserLoginSuccessEvent(user.UserName, user.Id.ToString(), user.UserName));

        TempData["ReturnUrl"] = model.ReturnUrl;

        // audit login event.
        await _identityAuditService.SendAuditEventAsync(User, "2FA login", "STS.Identity", new { UserEmail = user.Email }, user.Id);

        return LocalRedirect(string.IsNullOrEmpty(model.ReturnUrl) ? "~/" : model.ReturnUrl);
    }

    if (result.IsLockedOut)
    {
        return View("Lockout");
    }

    ModelState.AddModelError(string.Empty, _localizer["InvalidAuthenticatorCode"]);

    return View(model);
}

Currently the issue with anti forgery is gone, but if I want to logout from user A and login to user B (in the same tab) then I get redirected to the login page no matter what. I guess somehow the middleware calls the /bff/logout endpoint but behind the scenes the cookies are not cleared automatically.