Note: The same happens for the _temporary_ IdentityServerConstants.ExternalCookieAuthenticationScheme ("idsrv.external") cookie during external login. Here the problem is that the cookie remains (but doesn't stop the login process).

You can see .Net Core 3.1 Breaking Changes has some impact about authentication. I think the problem occurred for this. Did you try same problem with other Browsers like Opera or Firefox?

It happens exactly in Chrome >= 80, not in other browser, because Chrome is the first which implements "Reject insecure SameSite=None cookies", see https://www.chromestatus.com/feature/5633521622188032.

... also it should not happen in ASP.NET Core >= 3.0 because it passes the secure flag. See https://github.com/aspnet/AspNetCore/blob/release/3.0/src/Shared/ChunkingCookieManager/ChunkingCookieManager.cs#L289. (But didn't test that.)

The problem is that atm. I'm stick to ASP.NET Core 2.2.

This is really an ASP.NET Core issue, as the secure flag is set by the cookie auth handler (not us). I think @blowdart or @tratcher or @anurse might be able to field this better.

We did test and it seems to be working properly for ASP.NET Core 3.1.

Actually, there is already todo note in IdentityServerBuilder with same issue and they've some solution for this problem. Maybe you can try them

The problem is that atm. I'm stick to ASP.NET Core 2.2.

FYI 2.2 has reached end-of-life. https://dotnet.microsoft.com/platform/support/policy/dotnet-core

Mitigation: The CookieManager can be set, replace the 2.2 ChunkingCookieManager with the code from 3.0. You may also be able to adjust this behavior using CookiePolicy similar to the example shown in https://github.com/aspnet/AspNetCore/issues/14996.

Filed https://github.com/aspnet/AspNetCore/issues/17833 for a potential 2.1 patch.

Thanks @Tratcher for creating the ASP.NET Core issue!

@brockallen one change you might consider here is having this code set Unspecified rather than None.
https://github.com/IdentityServer/IdentityServer4/blob/c87a5e9f77a4ea724748505d2c6431c20edd5b0b/src/AspNetIdentity/src/IdentityServerBuilderExtensions.cs#L57-L58

Patched in ASP.NET Core.

I am running AspNetCore 2.1.15, IdentityServer4 2.4.0, and have back ported the chunking cookie manager as described in https://www.thinktecture.com/identity/samesite/how-to-delete-samesite-cookies and https://github.com/dotnet/aspnetcore/pull/17953.

I am an auth code grant JS client and can log in fine. I see the cookies get dropped for the JS site and idsrv for .AspNetCore.Antiforgery, .AspNetCore.Identity.Application, and idsrv.session. I initiate a logout in the JS client (which executes the signoutRedirect on the oidc-client manager). From the JS domain, everything looks good but if I navigate to the idsrv domain the cookies still exist and the user is not fully logged out.

Before updating to core 2.1.15 and before setting up a cookie policy as described here https://www.thinktecture.com/identity/samesite/prepare-your-identityserver/ it would delete cookies for both domains.
Also, if I keep all the newer code in place and just I disable the chrome flags "SameSite by default cookies" and "Cookies without SameSite must be secure" then the cookies get removed too (I'm still in chrome 79) - so it has to be something around these settings.

Any help or places to check is appreciated. I am clearly missing something that needs to be modified.

@onarres please open an issue at https://github.com/dotnet/aspnetcore/issues and include a Fiddler trace and the code you used for ChunkingCookieManager.

I figured it out. Elsewhere in our codebase there was a call to services.ConfigureApplicationCookie() to set different login and logout paths. In this block I had to add the "options.CookieManager = new BackPortedChunkingCookieManager()" - this is what was managing the .AspNetCore.Identity.Application cookie

I kept trying to figure out why idsrv.session worked fine, but that had nothing to do with what I thought I previously fixed; instead that is due to the idsrv's user session code, it has a method that sets the cookie options on create and delete with the secure flag.

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.