OAuth 2.0 / OpenID Connect Explained (edit)

https://benohead.com/oauth-2-0-openid-connect-explained/

The provided anti-forgery token was meant for a different claims-based user than the current user.

https://brockallen.com/2012/07/08/mvc-4-antiforgerytoken-and-claims/

https://stackoverflow.com/questions/18097401/the-anti-forgery-cookie-token-and-form-field-token-do-not-match-in-mvc-4

https://stackoverflow.com/questions/23366667/system-web-mvc-httpantiforgeryexception-mvc-5

https://www.developerfusion.com/tools/generatemachinekey/

ASP.NET MVC: The required anti-forgery form field “__RequestVerificationToken” is not present

https://benohead.com/asp-net-mvc-the-required-anti-forgery-form-field-__requestverificationtoken-is-not-present/

The anti-forgery cookie token and form field token do not match.

I resolved the issue by explicitly adding a machine key in web.config.

Note: For security reason don't use this key. Generate one from https://support.microsoft.com/en-us/kb/2915218#AppendixA.

Dont use online-one, details, http://blogs.msdn.com/b/webdev/archive/2014/05/07/asp-net-4-5-2-and-enableviewstatemac.aspx

 <machineKey validationKey="971E32D270A381E2B5954ECB4762CE401D0DF1608CAC303D527FA3DB5D70FA77667B8CF3153CE1F17C3FAF7839733A77E44000B3D8229E6E58D0C954AC2E796B" decryptionKey="1D5375942DA2B2C949798F272D3026421DDBD231757CA12C794E68E9F8CECA71" validation="SHA1" decryption="AES" />

Here's a site that generates unique Machine Keys:

http://www.developerfusion.com/tools/generatemachinekey/

Protecting your ASP.NET Web API using OAuth2 and the Windows Azure Access Control Service

https://www.developerfusion.com/article/147914/protecting-your-aspnet-web-api-using-oauth2-and-the-windows-azure-access-control-service/

https://github.com/maartenba/WindowsAzure.Acs.Oauth2