I am working on a Mac (OS 10.14.6) and when I test a universal login using the stock aspnet netcore 3.1 sample from github in Safari 13.1 everything works fine.
When I test the exact same code on Chrome version 80.0.3987.149 (Official Build) (64-bit) I get the correlation failed error.
I suppose I’m stating the obvious, but why would I build an application that uses an IDaaS that has browser version dependency issues? I certainly don’t want our customers hitting issues like this when trying to login to our product.
FYI I’m testing Okta at the same time and having the exact same problem… looks to be all about the SameSite breaking update coming out from Google.
Hey there @bwholman once our Developer Support team help you in your struggle it would be great to share the result here for the benefit of others. Thank you!
yeppers, i will save all of you from the back and forth and post the results. The solution I need is one where my customers don’t have to f with browser versions, etc (assuming they are current is enough)
I’m using Identity server and I’m also getting the correlation failed: unknown location error.
If I check my Identity server serilog log the underlying issue is AspNetCore.Correlation.Google.WTHbFE3zvIhKYI6GM4_vGutZUprVbUenA6je3QxWYT’ cookie not found.
I am speculating this is due to the samesite cookie changes chrome has been implementing.
As a bit more info I’ve also tested on Edge and Firefox where this is not an issue.
I suspect this is something Microsoft/Google needs to fix but if anyone finds the answer comment on this thread as I’m looking for one
private void CheckSameSite(HttpContext httpContext, CookieOptions options)
{
if (options.SameSite == SameSiteMode.None)
{
var userAgent = httpContext.Request.Headers["User-Agent"].ToString();
if ( DisallowsSameSiteNone(userAgent))
{
options.SameSite = SameSiteMode.Unspecified;
}
}
}
public void ConfigureServices(IServiceCollection services)
{
services.Configure<CookiePolicyOptions>(options =>
{
options.MinimumSameSitePolicy = SameSiteMode.Unspecified;
options.OnAppendCookie = cookieContext =>
CheckSameSite(cookieContext.Context, cookieContext.CookieOptions);
options.OnDeleteCookie = cookieContext =>
CheckSameSite(cookieContext.Context, cookieContext.CookieOptions);
});
}
public void Configure(IApplicationBuilder app)
{
app.UseCookiePolicy(); // Before UseAuthentication or anything else that writes cookies.
app.UseAuthentication();
// …
}
// Read comments in https://docs.microsoft.com/en-us/aspnet/core/security/samesite?view=aspnetcore-3.1
public bool DisallowsSameSiteNone(string userAgent)
{
// Check if a null or empty string has been passed in, since this
// will cause further interrogation of the useragent to fail.
if (String.IsNullOrWhiteSpace(userAgent))
return false;
// Cover all iOS based browsers here. This includes:
// - Safari on iOS 12 for iPhone, iPod Touch, iPad
// - WkWebview on iOS 12 for iPhone, iPod Touch, iPad
// - Chrome on iOS 12 for iPhone, iPod Touch, iPad
// All of which are broken by SameSite=None, because they use the iOS networking
// stack.
if (userAgent.Contains("CPU iPhone OS 12") ||
userAgent.Contains("iPad; CPU OS 12"))
{
return true;
}
// Cover Mac OS X based browsers that use the Mac OS networking stack.
// This includes:
// - Safari on Mac OS X.
// This does not include:
// - Chrome on Mac OS X
// Because they do not use the Mac OS networking stack.
if (userAgent.Contains("Macintosh; Intel Mac OS X 10_14") &&
userAgent.Contains("Version/") && userAgent.Contains("Safari"))
{
return true;
}
// Cover Chrome 50-69, because some versions are broken by SameSite=None,
// and none in this range require it.
// Note: this covers some pre-Chromium Edge versions,
// but pre-Chromium Edge does not require SameSite=None.
if (userAgent.Contains("Chrome/5") || userAgent.Contains("Chrome/6"))
{
return true;
}
return false;
}
Kudos to Tanver at the Auth0 support desk for this resolution. Punchline is that for the SameSite=None cookie configuration to work via a chrome browser you must set your localhost webserver to run via https. Works like a hot damn.
A few notes on getting https to work with localhost… Auth0 has this article, but I found the best one for .net to actually be this one.
I did go through the mkcert process but pretty sure if you just use dotnet dev-certs https --trust
that should do it.
remember to change your callback on your ID provider to https.
on the stock github sample I changed the kestrel endpoint to this:
“kestrel”: {
“EndPoints”: {
“Https”: {
“Url”: “https://*:443”
}
}
}
