Identity Manager Community

Forum Angular Development - API Server doesn't accept requests because of a missing XSRF Token

State Verified Answer
Replies 12 replies
Subscribers 97 subscribers
Views 1563 views
Users 0 members are here

Options

Related

Angular Development - API Server doesn't accept requests because of a missing XSRF Token

ivo burkatzki 10 months ago

Hello everyone,

so i set up a angular development projekt using a local API server.

The API Server doesn't accept Requests because of a missing XSRF Token.

When I look into the Development Tools, it tells me that the browser doesn't accept incomming cookies because of a mismatched domain.

Which is understandable since the cooke is sent with /APIServer as Path while the API Server runs locally under http://localhost:8182

(hence no XSRF Token set on the browser, hence no XSRF Token sent back)

How do I fix this issue?

Greetings

Ivo Burkatzki

Top Replies

rodney rosenda_67072 10 months ago +1

In development you could login with the following query parameter noxsrf (http://localhost:8182/imx/login/mycustomapi?noxsrf=true).

Regards,

Rodney

Parents

0 Hanno Bunjes 10 months ago

Hello Ivo,

It almost sounds like you set the API configuration setting XsrfProtectionCookiePath to "/ApiServer". Could that be the case?

If that is so, you will need to set it again to "/" in the local API configuration of the server running on localhost:8182.
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 identitymanager-support 8 months ago in reply to Hanno Bunjes

Hello Hanno,

do I understand correctly - if you have a local API server (localhost) the setting "XsrfProtectionCookiePath" is to be set to the value "/".
How should the value be set if you have an API server that is not running locally?
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 Hanno Bunjes 8 months ago in reply to identitymanager-support

There is no general answer to your question, it depends on your setup. What is the URL of the API Server?

Basically, the HTML app needs to access the cookies emitted by the API Server. You need to set that property only if your HTML apps run on a different domain/path than the API Server. (Having them both on localhost with different ports usually works fine.)
Cancel
Up 0 Down

Reply

Verify Answer

Cancel

Reply

0 Hanno Bunjes 8 months ago in reply to identitymanager-support

There is no general answer to your question, it depends on your setup. What is the URL of the API Server?

Basically, the HTML app needs to access the cookies emitted by the API Server. You need to set that property only if your HTML apps run on a different domain/path than the API Server. (Having them both on localhost with different ports usually works fine.)
Cancel
Up 0 Down

Reply

Verify Answer

Cancel

Children

0 identitymanager-support 8 months ago in reply to Hanno Bunjes
Hello Hanno,

thank you very much for your feedback. However, the details are all very vague and don't necessarily make the first steps easier - hence the specific question:
We have installed the API server on a Windows server with IIS - it can be accessed at.
https://<servername>.<domain>/ApiServer

What would have to be specified in this case?
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 Hanno Bunjes 8 months ago in reply to identitymanager-support

This will not work at all regardless of the cookie path, because your Angular frontend will typically run on HTTP (no "S") and cannot access cookies from a secure context. The browsers will not allow it.

In Chrome's F12 tools --> network tab, you can see this happening. By filtering on "blocked cookies" you can see if any cookies were blocked, and the browser will show the reason why.

We've had some success going HTTPS all the way, which means that your local Angular server needs to run in HTTPS. But it's probably not worth the hassle as long as you are in a development (non-production) environment, where it may be acceptable to just disable XSRF protection.
Cancel
Up 0 Down

Reply

Verify Answer

Cancel