Identityserver4: User is not authenticated

Same issue here. Happens only in Chrome I believe. Didn't reproduced on firefox.

I encountered the same problem as you. After logging in on chrome, he jumped back to the login page, but using Microsoft Edge browser can log in normally.

IdentityServer: 3.1.2
Chrome: 80.0.3987.132（Official version） （64-bit）

Chrome Warning prompt text：
This set-cookie had the "SameSite=None" attribute but did not have the "Secure" attribute, which is required in order to use "SameSite=None"

I noticed a warning when setting a cookie after logging in, so I modified the following code, then he can works:

1. Find the method CreateSessionIdCookieOptions () of class DefaultUserSession,
   Then change the SameSite of options to SameSiteMode.Unspecified
2. Find the Configure (string name, CookieAuthenticationOptions options) method of the class ConfigureInternalCookieOptions,
   Then change options.Cookie.SameSite to SameSiteMode.Unspecified

you can override these two classes and then manually add them to the dependency injection container

Chrome Warning prompt text：
This set-cookie had the "SameSite=None" attribute but did not have the "Secure" attribute, which is required in order to use "SameSite=None"

I noticed a warning when setting a cookie after logging in, so I modified the following code, then he can works:

1. Find the method CreateSessionIdCookieOptions () of class DefaultUserSession,
   Then change the SameSite of options to SameSiteMode.Unspecified
2. Find the Configure (string name, CookieAuthenticationOptions options) method of the class ConfigureInternalCookieOptions,
   Then change options.Cookie.SameSite to SameSiteMode.Unspecified

you can override these two classes and then manually add them to the dependency injection container

nice，it‘s work for me

Chrome Warning prompt text：
This set-cookie had the "SameSite=None" attribute but did not have the "Secure" attribute, which is required in order to use "SameSite=None"

I noticed a warning when setting a cookie after logging in, so I modified the following code, then he can works:

1. Find the method CreateSessionIdCookieOptions () of class DefaultUserSession,
   Then change the SameSite of options to SameSiteMode.Unspecified
2. Find the Configure (string name, CookieAuthenticationOptions options) method of the class ConfigureInternalCookieOptions,
   Then change options.Cookie.SameSite to SameSiteMode.Unspecified

you can override these two classes and then manually add them to the dependency injection container

Could you share sample code ?

Read your warnings in the chrome console. It says if you're setting SameSite=none and not setting Secure then it's an invalid cookie. This, IMO, is a problem in the ASP.NET Core code. If the request is not HTTPS and SameSite=none is configured, then I think it shoud not issue SameSite=none.

Chrome Warning prompt text：
This set-cookie had the "SameSite=None" attribute but did not have the "Secure" attribute, which is required in order to use "SameSite=None"

I noticed a warning when setting a cookie after logging in, so I modified the following code, then he can works:

1. Find the method CreateSessionIdCookieOptions () of class DefaultUserSession,
   Then change the SameSite of options to SameSiteMode.Unspecified
2. Find the Configure (string name, CookieAuthenticationOptions options) method of the class ConfigureInternalCookieOptions,
   Then change options.Cookie.SameSite to SameSiteMode.Unspecified

you can override these two classes and then manually add them to the dependency injection container

ConfigureInternalCookieOptions is an internal class. we can't inherit from it.

Right, but you can always configure your own cookie and you'd set the same settings.

In my case, I don't set my own cookie. The application rely on ids4 user session/internal cookies.

How would you suggest that I correct the internal behavior of ids4 considering that I consume the nugget package?

test with https (just like you would use in production)

I opened an issue here with Microsoft about this: https://github.com/dotnet/aspnetcore/issues/19939

Yes, I'm having the same issue.

Locally, http://localhost:5002, my app, usually uses my production IDS4 under an SSL URL, and yesterday noticed that Chrome no longer worked, but Firefox did work. I kept getting Correlation Failed - Unknown location.

So today I've spent the day trying it with using the app against my local IDS 4 instance http://localhost:5000 and it's a different experience, but still doesn't work. It would just bounce back to login.

1. chrome://flags/#same-site-by-default-cookies and set to enabled or to default - the login screen comes back, to it and the log shows:

ValidatedAuthorizeRequest
{"ClientId": "AppUser", "ClientName": "Application User", "RedirectUri": "http://localhost:5002/signin-oidc", "AllowedRedirectUris": ["http://localhost:5002/signin-oidc"], "SubjectId": "anonymous", "ResponseType": "code id_token", "ResponseMode": "form_post", "GrantType": "hybrid", "RequestedScopes": "openid profile tmpapiuser1 email ssuser.profile offline_access", "State": ".......", "UiLocales": null, "Nonce": "........", "AuthenticationContextReferenceClasses": null, "DisplayMode": null, "PromptMode": null, "MaxAge": null, "LoginHint": null, "SessionId": null, "Raw": {"client_id": "AppUser", "redirect_uri": "http://localhost:5002/signin-oidc", "response_type": "code id_token", "scope": "openid profile tmpapiuser1 email ssuser.profile offline_access", "response_mode": "form_post", "nonce": "6......, "x-client-SKU": "ID_NETSTANDARD2_0", "x-client-ver": "5.3.0.0"}, "$type": "AuthorizeRequestValidationLog"}
[20:24:36 INF] IdentityServer4.ResponseHandling.AuthorizeInteractionResponseGenerator
Showing login: User is not authenticated
[20:24:36 INF] Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler
AuthenticationScheme: Identity.External signed out.

1. chrome://flags/#same-site-by-default-cookies and disabled and then I get the Correlation failed. Unknown Location unhandled exception page. The logs below look all good. Obviously I have too much crap in the claims.

[20:30:12 DBG] IdentityServer4.Hosting.IdentityServerAuthenticationService
Augmenting SignInContext
[20:30:12 DBG] IdentityServer4.Hosting.IdentityServerAuthenticationService
Adding idp claim with value: local
[20:30:12 DBG] IdentityServer4.Hosting.IdentityServerAuthenticationService
Adding amr claim with value: pwd
[20:30:12 DBG] IdentityServer4.Hosting.IdentityServerAuthenticationService
Adding auth_time claim with value: 1584491412
[20:30:12 INF] Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler
AuthenticationScheme: Identity.Application signed in.
[20:30:12 INF] Mvc.Controllers.AccountController
User logged in.
[20:30:13 DBG] IdentityServer4.Hosting.EndpointRouter
Request path /connect/authorize/callback matched to endpoint type Authorize
[20:30:13 DBG] IdentityServer4.Hosting.EndpointRouter
Endpoint enabled: Authorize, successfully created handler: IdentityServer4.Endpoints.AuthorizeCallbackEndpoint
[20:30:13 INF] IdentityServer4.Hosting.IdentityServerMiddleware
Invoking IdentityServer endpoint: IdentityServer4.Endpoints.AuthorizeCallbackEndpoint for /connect/authorize/callback
[20:30:13 DBG] IdentityServer4.Endpoints.AuthorizeCallbackEndpoint
Start authorize callback request
[20:30:13 DBG] IdentityServer4.Endpoints.AuthorizeCallbackEndpoint
User in authorize request: b6ff7b3c-ece7-471f-9ff1-9075eee31209
[20:30:13 DBG] IdentityServer4.Validation.AuthorizeRequestValidator
Start authorize request protocol validation
[20:30:13 DBG] IdentityServer4.EntityFramework.Stores.ClientStore
AppUser found in database: True
[20:30:13 DBG] IdentityServer4.Stores.ValidatingClientStore
client configuration validation for client AppUser succeeded.
[20:30:13 DBG] IdentityServer4.Validation.AuthorizeRequestValidator
Checking for PKCE parameters
[20:30:13 DBG] IdentityServer4.Validation.AuthorizeRequestValidator
No PKCE used.
[20:30:13 DBG] IdentityServer4.EntityFramework.Stores.ResourceStore
Found ["openid", "profile", "email", "ssuser.profile"] identity scopes in database
[20:30:13 DBG] IdentityServer4.EntityFramework.Stores.ResourceStore
Found ["tmpapiuser1"] API scopes in database
[20:30:14 DBG] IdentityServer4.EntityFramework.Stores.ResourceStore
Found ["openid", "profile", "email", "ssuser.profile"] identity scopes in database
[20:30:14 DBG] IdentityServer4.EntityFramework.Stores.ResourceStore
Found ["tmpapiuser1"] API scopes in database
[20:30:14 DBG] IdentityServer4.Validation.AuthorizeRequestValidator
Calling into custom validator: IdentityServer4.Validation.DefaultCustomAuthorizeRequestValidator
[20:30:14 INF] IdentityServer4.Endpoints.AuthorizeCallbackEndpoint
ValidatedAuthorizeRequest
{"ClientId": "AppUser", "ClientName": "Application User", "RedirectUri": "http://localhost:5002/signin-oidc", "AllowedRedirectUris": ["http://localhost:5002/signin-oidc", ], "SubjectId": "b6ff7b3c-ece7-471f-9ff1-9075eee31209", "ResponseType": "code id_token", "ResponseMode": "form_post", "GrantType": "hybrid", "RequestedScopes": "openid profile tmpapiuser1 email ssuser.profile offline_access", "State": "CfDJ8.....", "UiLocales": null, "Nonce": "63720......", "AuthenticationContextReferenceClasses": null, "DisplayMode": null, "PromptMode": null, "MaxAge": null, "LoginHint": null, "SessionId": "9126b4f435e5d90c7f87b34687ec0526", "Raw": {"client_id": "AppUser", "redirect_uri": "http://localhost:5002/signin-oidc", "response_type": "code id_token", "scope": "openid profile tmpapiuser1 email ssuser.profile offline_access", "response_mode": "form_post", "nonce": "637200.......", "state": "CfDJ8B.....", "x-client-SKU": "ID_NETSTANDARD2_0", "x-client-ver": "5.3.0.0"}, "$type": "AuthorizeRequestValidationLog"}
[20:30:14 DBG] IdentityServer4.Services.DefaultConsentService
Client is configured to not require consent, no consent is required
[20:30:14 DBG] IdentityServer4.ResponseHandling.AuthorizeResponseGenerator
Creating Hybrid Flow response.
[20:30:14 DBG] IdentityServer4.EntityFramework.Stores.PersistedGrantStore
xM5XmI7W6Y4BO1Rw6YjJ.... not found in database
[20:30:14 DBG] IdentityServer4.ResponseHandling.AuthorizeResponseGenerator
Creating Implicit Flow response.
[20:30:14 DBG] IdentityServer4.Services.DefaultClaimsService
Getting claims for identity token for subject: b6ff7b3c-ece7-471f-9ff1-9075eee31209 and client: AppUser
[20:30:15 INF] IdentityServer4.Endpoints.AuthorizeCallbackEndpoint
Authorize endpoint response
{"SubjectId": "b6ff7b3c-ece7-471f-9ff1-9075eee31209", "ClientId": "AppUser", "RedirectUri": "http://localhost:5002/signin-oidc", "State": "CfDJ8Bv.......", "Scope": "openid profile email ssuser.profile tmpapiuser1 offline_access", "Error": null, "ErrorDescription": null, "$type": "AuthorizeResponseLog"}
[20:30:15 DBG] IdentityServer4.Hosting.IdentityServerAuthenticationService
Augmenting SignInContext
[20:30:15 INF] Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler
AuthenticationScheme: Identity.Application signed in.

Now the inconsistent case here, is in one of these cases it randomly started working again for Chrome, but changing the flag around it no longer works again.

Since this issue is only on http, should we just setup certs locally and run under SSL locally under Microsoft fixes it?

Thanks,
Rob

test with https (just like you would use in production)

It's really unfortunate, due to how my particular project was developed and configured, it would be extremely time consuming to force https on local. Too many components trying to communicate to each others.

However, if it's a new or simple project, that should be straight forward to do and the cookie should work. I would suggest people in this situation to try it.

For now, I can use a cookie policy as a catch-all to force the value on all emitted cookies but it's less than ideal as ultimately it's a patch to a configuration problem.

I'll keep watch on the ticket that you entered. Thank you for your help so far.

This is what we've added to the host to make it work:

https://github.com/IdentityServer/IdentityServer4/commit/aa57833f2e048eb2f6be279260fccdd27c5a7ea9

Tri125,
Agreed. This sucks.

Firefox does work perfectly fine. I'm used to debugging my SPA in Chrome, but I guess I'll be using Firefox until I decide to get SSL setup on my app too.

Although the response "test with https" isn't that helpful, it probably is the only realistic option in the end. So to update your apps to use https do this:

1. In each Startup.cs, add

       app.UseHsts();
       app.UseHttpsRedirection();
   

to Configure(), usually right at the start or just before UseStaticFiles()

1. For each project go into the project settings and enable the Debug page's "Use SSL" checkbox. Make a note of the generated, and unchangeable, port number.

2. Go through the codebase (search for http://) and change each reference to a 500x port to the ssl port number that VS generated for each project (and remember to put https at the front)

3. How you run the projects varies, but if you're like me and run the API and NetIdentityServer from a command line (with dotnet run environment=development) then you will need to change the launchsettings.json for each project. Within the 'SelfHost' section there will be an 'applicationUrl' entry, change it to the SSL version that VS generated for you.

4. If you haven't already installed the VS dev certificate, do so by running "dotnet dev-cert https --trust" (there is a --clean option if you already have old or broken certificates installed)

and that should be it, now you can run your projects using https which I think is the way to go given how all the browsers and standards are "secure by default" (ie increasingly broken without https). Microsoft has a page on enforing https
Hopefully MS will change its templates in the future to be https, and IdentifyServer will also implement the above code tweaks with the v4 release.

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.