Topics

C#•2y ago

IdentityServer antiforgery token bypass

I have an Identity Server instance. One of the application need's to render an identity server pages (login, forgot password, 2fa window, etc.) in the iframe. The problem is that I use an anti-forgery token that prevents all calls since the URL differs. So I'm thinking about having something like a white list of domains that can bypass forgery token validation. Are there any built-in solutions for that? Or would appreciate advice about how to implement this logic.

3 Replies

Cisien•2y ago

Thats probably a bad idea, why does this need an iframe? Its common to redirect with is to login

no >> body•2y ago

This is a legacy application. And they want to use one of our apps inside their app, and that app requires authentication from our identity server. Yes, I agree. This is a terrible idea, but this is a requirement from the customer.

Cisien•2y ago

you can't share cookies between apps using iframes, x-frame-options might be able to help though you'll probably still need to deal with having to login a few times you might be able to add the other domain to the cookie on your identity server, if that's an option or maybe your site

We are a programming server aimed at coders discussing everything related to C# (CSharp) and .NET.

52KMembers

View on Discord

Want results from more Discord servers?

Add your server

More Posts

Deal with clients that not support signalRI have a signalr Web API app and some of client are application run on Blackberry and Symbian OS Ho Bot not working?```csharp using System; using System.Collections.Generic; using System.Linq; using System.Reflection Dependency injection questionsI've been learning dependency injection in a non-web-api environment (tagging as asp.net anyways sin How to change cipher suites in .NET 6 on windows without regedit?I know there's an option for SslClientAuthenticationOptions.CipherSuitesPolicy but the issue is it's How to capture all user actions in a winform application to store them in a log file?My goal is to create a log file (a txt file will do) of all actions that an end user takes while usi Entity Framework - MODEL and ENTITYIm not sure if an ENTITY (Layer responsible for bussiness logic) is necessary instead use only MODEL .lnk parsingThis tool <https://github.com/securifybv/ShellLink> seems to be decent for parsing/modifying/creatin Fluent validationHello, I am using fluent validation and I'm trying to validate that the user supplied city is valid,How to change message?```csharp #nullable disable const float MIN_X = 1f; const float MAX_X = 50f; const float MIN_Y = 1f;Arrays in constructors and listsI have made a constructor taking an array of int (int[] numbers) in a new class, let's call the clas