Auth0 Home Blog Docs

ASP.NET Core 2: Intermittent Correlation Failed Errors


  • Which SDK does this apply to? Auth0.AuthenticationApi v5.4 / Lock 11.3
  • Which version of the platform are you facing this error on? .NET Core 2
  • Was this code working before? Have you made any changes in the dashboard recently? I think this error has always occurred intermittently.
  • HAR: I will keep trying on this. Because of the intermittent nature of the problem, this is a little bit tougher. I do have a HAR where the intermittent problem does not occur… Let me know if you would like me to include that. Otherwise, I’m sure I will get this eventually.

I am seeing intermittent Correlation Failed errors in production. The code we’re using comes straight out of the ASP.NET Core 2 quickstart samples.

For the most part, this happens in Chrome, although when I try this on Safari (on a phone) it seems much more prevalent… Mobile is not our target right now, but I would say Safari seems to be pretty much broken right now.
To reproduce this, when I go to my site after several hours (maybe a whole day?) of inactivity, It shows the “you last logged in with…” dialog, and then when I click my email address, it crashes.

Here’s the trace, if that helps:

Exception: Correlation failed.
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

I have also seen an “oops! something went wrong!” page once or twice.

I understand this issue may be cookie related, so I thought I would also include my cookies:

.AspNetCore.Correlation.Auth0.9vfQ2_WqWLP6U1UXAi29WBtXqsuo97f2txMiHCiovP0 | N
.AspNetCore.OpenIdConnect.Nonce.CfDJ8DczvQ50mOVLnddvitCTG7Kp9Mc2yKSennC7oggfuaXdypiCvst-PX2Hva-N9UxUe20wXELi1G6LHg8W_XHmCtbv9MN3lROrFKfrEaTf8MPue32mGPFLqMjiPIGJTuKlAxaC4r-kQMIHH1_MJzZV44mrQ5b1Jq8tPXgT0vZcAeC-QblWwgFWJN8PzdG0b2NOCog3p-0QQPVkuZr_D2v65roPEi-1nstgExcxlme_w_zzH98Fit3FcXKBPXq6TQY0oVfTHWpKLyPUj1dPg1WLCBc | N
ARRAffinity | 7055382eb098285fb6aecb1d7b22ab0e092973bf2838304a05303973781a3ebb

Here’s my config:

using System;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Authentication.OpenIdConnect;
using Microsoft.AspNetCore.Http;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.IdentityModel.Tokens;

namespace Keystone.Web.Config.IoC
    internal static class Auth0Config
        public static void ConfigureAuth0(IServiceCollection services, IConfiguration configuration)
            services.AddAuthentication(options =>
                    options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                    options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                    options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                .AddOpenIdConnect("Auth0", options =>
                    // Set the authority to your Auth0 domain
                    options.Authority = $"https://{configuration["Auth0:Domain"]}";

                    // Configure the Auth0 Client ID and Client Secret
                    options.ClientId = configuration["Auth0:ClientId"];
                    options.ClientSecret = configuration["Auth0:ClientSecret"];

                    // Set response type to code
                    options.ResponseType = "code";

                    // Configure the scope

                    // Also ensure that you have added the URL as an Allowed Callback URL in your Auth0 dashboard 
                    // e.g. http://localhost:5000/signin-auth0 
                    options.CallbackPath = new PathString("/signin-auth0");

                    // Configure the Claims Issuer to be Auth0
                    options.ClaimsIssuer = "Auth0";

                    // Saves tokens to the AuthenticationProperties
                    options.SaveTokens = true;

                    //Signature validation for HS256 signed token

                   options.TokenValidationParameters = new TokenValidationParameters
                       NameClaimType = "name",
                       RoleClaimType = ""

                    options.Events = new OpenIdConnectEvents
                        // handle the logout redirection 
                        OnRedirectToIdentityProviderForSignOut = (context) =>
                            // This is for "flowing the API token" which we are apparently not using.
                            //context.ProtocolMessage.SetParameter("audience", "{YOUR_API_IDENTIFIER}"); 

                            var logoutUri = $"https://{configuration["Auth0:Domain"]}/v2/logout?client_id={configuration["Auth0:ClientId"]}";

                            var postLogoutUri = context.Properties.RedirectUri;
                            if (!String.IsNullOrEmpty(postLogoutUri))
                                if (postLogoutUri.StartsWith("/"))
                                    // transform to absolute
                                    var request = context.Request;
                                    postLogoutUri = request.Scheme + "://" + request.Host + request.PathBase + postLogoutUri;
                                logoutUri += $"&returnTo={ Uri.EscapeDataString(postLogoutUri)}";


                            return Task.CompletedTask;


Also: I am currently on a free account, and we aren’t using SSL/HTTPS yet.


I’ve created a HAR file showing the problem:


@brianm_accounts I am getting someone to take a look into this


@brianm_accounts looks like you got a response in the Github issue:


@jeremy.meiss Thank you for having someone take a look at this. The github response really did contain anything that will help be resolve this… I hope someone will look at the HAR file I included. I am using the configuration from the quickstart, so if I am having problems, I must not be alone.