Non Browser Based Clients Invoking Post Method is failing with Invalid CSRF Token

[saravanad]

Hi @ch4mpy ,

When Non Browser Based Clients tries to invoke POST API call to service offered in the microservices, which are behing the BFF Gateway, we get the Error, invalid CSRF Token error.

I have different routes with prefix like "/api/" for these non-browser based client, and other different routes for Browser based client.

Hence I added this in the permit-all section "/api/**" route, so that it can be bypassed in the BFF. The GET API's with the prefix "/api/" are working for me. They are bypassing the BFF gateway and reaching the concerned microservices.

When i try to do a POST API , i am getting invalid csrf token error. For POST API, i guess the permit-all section is not being considered.

Is there a way to overcome the csrf token only for Non-Browser Based Clients Post/Put API, while still having the CSRF Validation for Browser based Clients.

Thanks in advance for your support.

Thanks,
Saravana

[ch4mpy]

The filter chain with oauth2Login should be reserved for frontends that need to log users in. For programmatic clients getting tokens with the client credentials flow, you may either:

• Avoid going through the BFF (contact the service directly or a load-balancer between the BFF and the resource servers)
• If keeping the BFF as only entry point, use a second set of routes with a stateless security filter chain (and disabled protection against CSRF, like you can do safely with oauth2ResourceServer or basic), or disabled security.