Error message “Invalid CSRF token”

Question

Question

Hello, community!

I am working on implementing OAuth 2.0 authentication in InterSystems IRIS and need to correctly define a CSRF token that will be validated by OAuth.Response. However, I am having trouble finding a clear method to configure the CSRF token correctly.

So far, I have tried:

Setting the CSRF token in the request header.
Inserting the CSRF token via InsertCookie.

Despite these attempts, I haven’t been successful. On the OAuth.Response page, the CSRF token is empty, and I get the error message “Invalid CSRF token” because the csrfToken is empty.

If csrfToken '= state { $$$ThrowStatus($$$ERROR($$$OAuth2ResponseError, "Invalid CSRF token")) }

Has anyone faced a similar issue or could suggest the best approach to configure the CSRF token for validation by OAuth.Response?

Any guidance or insights would be greatly appreciated!

Thank you in advance for your help!

Product version: IRIS 2024.3

Discussion (1)2

Log in or sign up to continue

score 0 · Answer 1 · 2025-05-23T08:33:53-04:00

Hi Edmara,

Yesterday I found we are having the same issue. This issue surfaced after we upgraded to 2023.1.5 (Build 697U).

In our case the issue is caused by a different Client Redirect URL. It is set to https://host/api/v1/xxx/csp/sys/oauth2/OAuth2.Response.cls
via the Prefix /api/v1/xxx in the Client Configuration page.

We could work around the issue by patching class OAuth.Response and changing the cookie path from %request.Application to "/" in line 134, so from

Do %response.SetCookie(..#CSRFCookieName, state,,%request.Application,,%request.Secure,1,sameSite)

to

Do %response.SetCookie(..#CSRFCookieName, state,,"/",,%request.Secure,1,sameSite)

I have logged a WRC for this unexpected behavior change.

I am curious to hear from you!