Solved by forcing https
.Net core open id cookie was not secure as well, have to be set as secure in program.cs