Identityserver4: Quickstarts sample upgrade to asp core 3.1 resulted in login failed for latest Google Chrome because of SameSite=None

Created on 22 Feb 2020 · 11Comments · Source: IdentityServer/IdentityServer4

Hi there,
I have downloaded Quick-start sample from: https://github.com/IdentityServer/IdentityServer4/tree/master/samples/Quickstarts

Working on 4_JavaScriptClient solution.
Sample working fine with ASP Core 3.0 as is.

I have changed target framework from ASP Core 3.0 to 3.1.

Now I am getting following warning during login for JavaScriptClient sample, and stuck at login page (not getting redirected back to index.html page).

_A cookie associated with a resource at http://localhost/ was set with SameSite=None but without Secure. It has been blocked, as Chrome now only delivers cookies marked SameSite=None if they are also marked Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5633521622188032._

Looking at following post:
https://docs.microsoft.com/en-gb/dotnet/core/compatibility/3.0-3.1
https://devblogs.microsoft.com/aspnet/upcoming-samesite-cookie-changes-in-asp-net-and-asp-net-core/

I have added CookiePolicyOptions and DisallowsSameSiteNone() as per above link.
But still I am getting same Chrome warning and login failed.
Also External Login 'Demo IdentityServer' (AddOpenIdConnect) option failed because of same 'Cookies' issue.

Function 'DisallowsSameSiteNone(string userAgent)' return false because of I am getting 'userAgent' string value as 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.116 Safari/537.36'

Option 1)
As per following link: https://docs.microsoft.com/en-gb/dotnet/core/compatibility/3.0-3.1
If I make use 'Opt-out switches' by adding runtimeconfig.template.json file in IdentityServer.csproj.

Now both
1) local user login (bob/bob) working fine.
2) External Login for 'Demo IdentityServer' also working fine.

Option 2)
If I add following Configure(IApplicationBuilder app, IWebHostEnvironment env) in Startup.cs
var cookiePolicyOptions = new CookiePolicyOptions { MinimumSameSitePolicy = SameSiteMode.Lax }; app.UseCookiePolicy(cookiePolicyOptions);

Now
1) local user login (bob/bob) working fine.
2) External Login for 'Demo IdentityServer' failed with following error:
System.Exception: An error was encountered while handling the remote login.
---> System.Exception: Correlation failed.
--- End of inner exception stack trace ---
at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
at IdentityServer4.Hosting.FederatedSignOut.AuthenticationRequestHandlerWrapper.HandleRequestAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at IdentityServer4.Hosting.BaseUrlMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)

Question:
What is the best way to upgrade Quickstarts sample ('4_JavaScriptClient' solution) to asp core 3.1, which support both local and External Login like 'Demo IdentityServer' with latest Google Chrome ?

Please help/suggest.

Thanks,
Sanjay.

question wontfix

Source

Sanjay-Confidosoft

Most helpful comment

Only option 2 worked on my asp.net core 2.1 project

add following Configure(IApplicationBuilder app, IWebHostEnvironment env) in Startup.cs
var cookiePolicyOptions = new CookiePolicyOptions { MinimumSameSitePolicy = SameSiteMode.Lax }; app.UseCookiePolicy(cookiePolicyOptions);

spgsouto on 9 Mar 2020

👍2

All 11 comments

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
Questions are community supported only and the authors/maintainers may or may not have time to reply. If you or your company would like commercial support, please see here for more information.

stale[bot] on 7 Mar 2020

I also have this problem
Any solution?

spgsouto on 8 Mar 2020

Currently I am using Option 1). i.e. 'Opt-out switches' by adding runtimeconfig.template.json as per https://docs.microsoft.com/en-gb/dotnet/core/compatibility/3.0-3.1
Which is working fine for me.

Sanjay-Confidosoft on 9 Mar 2020

👍1

Only option 2 worked on my asp.net core 2.1 project

spgsouto on 9 Mar 2020

👍2

@Sanjay5875 Thank you!

vbenedichuk on 15 Mar 2020

When I use
var cookiePolicyOptions = new CookiePolicyOptions { MinimumSameSitePolicy = SameSiteMode.Lax };
I get error Correlation failed. on asp net core 2.2

balkarov on 27 Mar 2020

I needed to add

 public void Configure(IApplicationBuilder app, IHostingEnvironment env)
 {
     app.UseCookiePolicy(new CookiePolicyOptions { MinimumSameSitePolicy = SameSiteMode.Lax });
    ....
}

on the identiy server and on my websites

When I use
var cookiePolicyOptions = new CookiePolicyOptions { MinimumSameSitePolicy = SameSiteMode.Lax };
I get error Correlation failed. on asp net core 2.2

spgsouto on 27 Mar 2020

same problem here with netcore 3.1 and identityserver4 v 3.1.2
the problem occurs with chrome 80 and web project running in http and, as already stated, is caused by chrome SameSite policy for cookies:
idsrv.session is set with path=/; samesite=none --> this will be blocked since samesite=none requires Secure flag
idsrv is set with path=/;samesite=none;httponly -->this again will be blocked

As already mentioned, setting cookie samesite policy to Lax makes things work:
services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme) .AddCookie("Cookies", options => { options.Cookie.SameSite = SameSiteMode.Lax; });

what am asking is: will Lax have side effects?As far as I understand "Lax" will enable cookie to be sent to third domain if and only if a document GET is sent to the remote domain, so I expect that cors enabled ajax requests, will not ship this cookie.

If Identity server is accessed in https, the cookies above are set with Secure flag, thus it works