diff --git a/backend/src/Squidex.Web/GraphQL/GraphQLRunner.cs b/backend/src/Squidex.Web/GraphQL/GraphQLRunner.cs
new file mode 100644
index 000000000..27e211f19
--- /dev/null
+++ b/backend/src/Squidex.Web/GraphQL/GraphQLRunner.cs
@@ -0,0 +1,35 @@
+// ==========================================================================
+//  Squidex Headless CMS
+// ==========================================================================
+//  Copyright (c) Squidex UG (haftungsbeschraenkt)
+//  All rights reserved. Licensed under the MIT license.
+// ==========================================================================
+
+using GraphQL.Server.Transports.AspNetCore;
+using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Net.Http.Headers;
+
+namespace Squidex.Web.GraphQL;
+
+public sealed class GraphQLRunner
+{
+    private readonly GraphQLHttpMiddleware<DummySchema> middleware;
+
+    public GraphQLRunner(IServiceProvider serviceProvider)
+    {
+        RequestDelegate next = x => Task.CompletedTask;
+
+        var options = new GraphQLHttpMiddlewareOptions
+        {
+            DefaultResponseContentType = new MediaTypeHeaderValue("application/json")
+        };
+
+        middleware = ActivatorUtilities.CreateInstance<GraphQLHttpMiddleware<DummySchema>>(serviceProvider, next, options);
+    }
+
+    public Task InvokeAsync(HttpContext context)
+    {
+        return middleware.InvokeAsync(context);
+    }
+}
diff --git a/backend/src/Squidex/Areas/Api/Controllers/Contents/ContentsSharedController.cs b/backend/src/Squidex/Areas/Api/Controllers/Contents/ContentsSharedController.cs
index ebb9ffa26..db038c060 100644
--- a/backend/src/Squidex/Areas/Api/Controllers/Contents/ContentsSharedController.cs
+++ b/backend/src/Squidex/Areas/Api/Controllers/Contents/ContentsSharedController.cs
@@ -22,15 +22,17 @@ namespace Squidex.Areas.Api.Controllers.Contents;
 public sealed class ContentsSharedController : ApiController
 {
     private readonly IContentQueryService contentQuery;
-    private readonly IContentWorkflow contentWorkflow;
+    private readonly IContentWorkflow contentWorkflow; private readonly GraphQLRunner graphQLRunner;
 
     public ContentsSharedController(ICommandBus commandBus,
         IContentQueryService contentQuery,
-        IContentWorkflow contentWorkflow)
+        IContentWorkflow contentWorkflow,
+        GraphQLRunner graphQLRunner)
         : base(commandBus)
     {
         this.contentQuery = contentQuery;
         this.contentWorkflow = contentWorkflow;
+        this.graphQLRunner = graphQLRunner;
     }
 
     /// <summary>
@@ -46,14 +48,9 @@ public sealed class ContentsSharedController : ApiController
     [Route("content/{app}/graphql/batch")]
     [ApiPermissionOrAnonymous]
     [ApiCosts(2)]
-    public IActionResult GetGraphQL(string app)
+    public Task GetGraphQL(string app)
     {
-        var options = new GraphQLHttpMiddlewareOptions
-        {
-            DefaultResponseContentType = new MediaTypeHeaderValue("application/json")
-        };
-
-        return new GraphQLExecutionActionResult<DummySchema>(options);
+        return graphQLRunner.InvokeAsync(HttpContext);
     }
 
     /// <summary>
diff --git a/backend/src/Squidex/Areas/IdentityServer/Controllers/Account/AccountController.cs b/backend/src/Squidex/Areas/IdentityServer/Controllers/Account/AccountController.cs
index a3a85c9f8..19c7e52de 100644
--- a/backend/src/Squidex/Areas/IdentityServer/Controllers/Account/AccountController.cs
+++ b/backend/src/Squidex/Areas/IdentityServer/Controllers/Account/AccountController.cs
@@ -207,6 +207,7 @@ public sealed class AccountController : IdentityServerController
 
     [HttpPost]
     [Route("account/external/")]
+    [IgnoreAntiforgeryToken]
     public IActionResult External(string provider, string? returnUrl = null)
     {
         var challengeRedirectUrl = Url.Action(nameof(ExternalCallback), new { returnUrl });
diff --git a/backend/src/Squidex/Config/Domain/ContentsServices.cs b/backend/src/Squidex/Config/Domain/ContentsServices.cs
index 93aa9d271..08cc0896e 100644
--- a/backend/src/Squidex/Config/Domain/ContentsServices.cs
+++ b/backend/src/Squidex/Config/Domain/ContentsServices.cs
@@ -17,6 +17,7 @@ using Squidex.Domain.Apps.Entities.Contents.Validation;
 using Squidex.Domain.Apps.Entities.History;
 using Squidex.Domain.Apps.Entities.Search;
 using Squidex.Infrastructure.EventSourcing;
+using Squidex.Web.GraphQL;
 
 namespace Squidex.Config.Domain;
 
diff --git a/backend/src/Squidex/Config/Web/WebServices.cs b/backend/src/Squidex/Config/Web/WebServices.cs
index 1ae4eec5b..a64da5c95 100644
--- a/backend/src/Squidex/Config/Web/WebServices.cs
+++ b/backend/src/Squidex/Config/Web/WebServices.cs
@@ -17,6 +17,7 @@ using Squidex.Config.Domain;
 using Squidex.Domain.Apps.Core.Contents;
 using Squidex.Domain.Apps.Entities;
 using Squidex.Domain.Apps.Entities.Contents.GraphQL;
+using Squidex.Domain.Apps.Entities.Contents.Queries;
 using Squidex.Infrastructure.Caching;
 using Squidex.Infrastructure.Json.Objects;
 using Squidex.Pipeline.Plugins;
@@ -34,6 +35,9 @@ public static class WebServices
         services.AddSingletonAs(c => new ExposedValues(c.GetRequiredService<IOptions<ExposedConfiguration>>().Value, config, typeof(WebServices).Assembly))
             .AsSelf();
 
+        services.AddSingletonAs<GraphQLRunner>()
+            .AsSelf();
+
         services.AddSingletonAs<FileCallbackResultExecutor>()
             .AsSelf();