Correlation Failed: Unknown Location error on Chrome but not in Safari

I am working on a Mac (OS 10.14.6) and when I test a universal login using the stock aspnet netcore 3.1 sample from github in Safari 13.1 everything works fine.

When I test the exact same code on Chrome version 80.0.3987.149 (Official Build) (64-bit) I get the correlation failed error.

I suppose I’m stating the obvious, but why would I build an application that uses an IDaaS that has browser version dependency issues? I certainly don’t want our customers hitting issues like this when trying to login to our product.

FYI I’m testing Okta at the same time and having the exact same problem… looks to be all about the SameSite breaking update coming out from Google.

Do you guys have a fix for this?

ticket 00451978 created

1 Like

Hey there @bwholman once our Developer Support team help you in your struggle it would be great to share the result here for the benefit of others. Thank you!

yeppers, i will save all of you from the back and forth and post the results. The solution I need is one where my customers don’t have to f with browser versions, etc (assuming they are current is enough)

1 Like

Thanks a lot for that!

I’m not using Auth0 but would just like to add I’m experiencing the same issue.

I’m also using aspnet netcore 3.1 and I’m also on Chrome 80.0.3987.149 which Chrome Releases: Stable Channel Update for Chrome OS released in the last week, which is when my issues started.

I’m using Identity server and I’m also getting the correlation failed: unknown location error.
If I check my Identity server serilog log the underlying issue is AspNetCore.Correlation.Google.WTHbFE3zvIhKYI6GM4_vGutZUprVbUenA6je3QxWYT’ cookie not found.

I am speculating this is due to the samesite cookie changes chrome has been implementing.

As a bit more info I’ve also tested on Edge and Firefox where this is not an issue.

I suspect this is something Microsoft/Google needs to fix but if anyone finds the answer comment on this thread as I’m looking for one :slight_smile:

Ok so finally got my code working again.

Make the code changes described here [Announcement][3.1.0-preview1] Reacting to browser SameSite changes, impacts OpenIdConnect · Issue #14996 · dotnet/aspnetcore · GitHub or here Work with SameSite cookies in ASP.NET Core | Microsoft Learn

    private void CheckSameSite(HttpContext httpContext, CookieOptions options) 
{ 
    if (options.SameSite == SameSiteMode.None) 
    { 
        var userAgent = httpContext.Request.Headers["User-Agent"].ToString(); 
        if ( DisallowsSameSiteNone(userAgent)) 
        { 
               options.SameSite = SameSiteMode.Unspecified; 
        } 
    } 
}

public void ConfigureServices(IServiceCollection services) 
{ 
    services.Configure<CookiePolicyOptions>(options => 
    { 
        options.MinimumSameSitePolicy = SameSiteMode.Unspecified; 
        options.OnAppendCookie = cookieContext =>  
            CheckSameSite(cookieContext.Context, cookieContext.CookieOptions); 
        options.OnDeleteCookie = cookieContext =>  
            CheckSameSite(cookieContext.Context, cookieContext.CookieOptions); 
    }); 
} 
 
public void Configure(IApplicationBuilder app) 
{ 
    app.UseCookiePolicy(); // Before UseAuthentication or anything else that writes cookies. 
    app.UseAuthentication(); 
    // … 
}

 //  Read comments in https://docs.microsoft.com/en-us/aspnet/core/security/samesite?view=aspnetcore-3.1
        public bool DisallowsSameSiteNone(string userAgent)
        {
            // Check if a null or empty string has been passed in, since this
            // will cause further interrogation of the useragent to fail.
            if (String.IsNullOrWhiteSpace(userAgent))
                return false;

            // Cover all iOS based browsers here. This includes:
            // - Safari on iOS 12 for iPhone, iPod Touch, iPad
            // - WkWebview on iOS 12 for iPhone, iPod Touch, iPad
            // - Chrome on iOS 12 for iPhone, iPod Touch, iPad
            // All of which are broken by SameSite=None, because they use the iOS networking
            // stack.
            if (userAgent.Contains("CPU iPhone OS 12") ||
                userAgent.Contains("iPad; CPU OS 12"))
            {
                return true;
            }

            // Cover Mac OS X based browsers that use the Mac OS networking stack. 
            // This includes:
            // - Safari on Mac OS X.
            // This does not include:
            // - Chrome on Mac OS X
            // Because they do not use the Mac OS networking stack.
            if (userAgent.Contains("Macintosh; Intel Mac OS X 10_14") &&
                userAgent.Contains("Version/") && userAgent.Contains("Safari"))
            {
                return true;
            }

            // Cover Chrome 50-69, because some versions are broken by SameSite=None, 
            // and none in this range require it.
            // Note: this covers some pre-Chromium Edge versions, 
            // but pre-Chromium Edge does not require SameSite=None.
            if (userAgent.Contains("Chrome/5") || userAgent.Contains("Chrome/6"))
            {
                return true;
            }

            return false;
        }

If you are using Identity Server 4 in http mode you may also need this configure cookie policy to omit samesite=none when request is not https · IdentityServer/IdentityServer4@aa57833 · GitHub

Further reading

https://github.com/IdentityServer/IdentityServer4/issues/4170

1 Like

Thanks for posting on this thread! Glad you are back on track. I tried your fix and am still getting the error on chrome. waiting for ticket response.

Let us know once you have it @bwholman!

Kudos to Tanver at the Auth0 support desk for this resolution. Punchline is that for the SameSite=None cookie configuration to work via a chrome browser you must set your localhost webserver to run via https. Works like a hot damn.

A few notes on getting https to work with localhost… Auth0 has this article, but I found the best one for .net to actually be this one.

I did go through the mkcert process but pretty sure if you just use
dotnet dev-certs https --trust
that should do it.

remember to change your callback on your ID provider to https.

on the stock github sample I changed the kestrel endpoint to this:
“kestrel”: {
“EndPoints”: {
“Https”: {
“Url”: “https://*:443”
}
}
}

In Configure I added this line:

        app.UseHttpsRedirection();

I hope this helps!

1 Like

Thanks a lot for sharing it with the rest of community!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.