Auth0 Home Blog Docs

Authentication broken on ASP.Net Core and Safari on iOS 12 / Mojave


A recent change in Webkit has broken authentication in ASP.Net’s Core 2 MVC apps that use the OpenIdConnect and Cookies middleware (like in all of our quickstarts and samples). In particular:

  • The OpenIdConnect middleware by default requests a response_mode=form_post (i.e. the OIDC identity provider will return the response by generating a POST from the browser to the client app).
  • The Cookies middleware uses a samesite=lax policy for the session cookie (which is a good thing, security-wise).
  • WebKit interpretation of spec causes it to block the ASP.Net session cookie set by the middleware right after the callback processing (/signin-auth0).

The flow is:

  1. Visit site, access some protected resource (or trigger the login manually).
  2. The authentication challenge at /Account/Login redirects to Auth0.
  3. User completes all the authentication prompts.
  4. Auth0 sends back the result to the app by returning HTML to the browser that does a POST request.
  5. The OpenIdConnect middleware (at /signin-auth0) validates the response, sets the identity cookie with a samesite=lax policy.
  6. The middleware redirects to the protected resource (or to the home page).
  7. The middleware checks for the identity cookie, which is blocked by WebKit. Since it’s missing, return to step 2.

Note that this problem is not exclusive to Auth0, and will most likely affect any OIDC identity provider that supports response_mode=form_post (part of the OIDC specification).

The workaround until WebKit fixes this behavior is to instruct the OpenIdConnect middleware not to use response_mode=form_post and instead use the OIDC default response mode (and use the authorization code flow instead of the default hybrid flow). To do so:

.AddOpenIdConnect("Auth0", options => {
    // Other configuration options
    // Set response type to code and response type to query
    // to avoid the default response_mode=form_post
    // which causes issues with Safari's handling of 
    // the Cookie middleware's default samesite=lax policy
    options.ResponseType = "code";
    options.ResponseMode = "query";