Critical login issue with ASP.NET MVC 5

Please include the following information in your post:

  • Which SDK this is regarding: Auth0 .NET SDK
  • SDK Version: 7.8.0
  • Platform Version: ASP.NET MVC 5

We are facing a random login issue in our application.
Our middleware (OWIN) redirects to the Auth0 login page. We enter the login credentials successfully and we are redirected to our callback URL.
At this point seems as the token is not accepted by the middleware and we are redirected another time to the Auth0 login page.

This is a sample of the requests flow:
image

We are facing this critical problem since the May 12th, but we didn’t change our code.

Here you can find the code snippet of the Auth= configuration:
private static void InitAuth0(IAppBuilder app)
{
// Configure Auth0 parameters
string auth0Domain = Auth0Helper.Domain;
string auth0ClientId = Auth0Helper.ClientId;
string auth0ClientSecret = Auth0Helper.ClientSecret;
string auth0RedirectUri = Auth0Helper.RedirectUri;
string auth0PostLogoutRedirectUri = Auth0Helper.PostLogoutRedirectUri;

        // Enable the Cookie saver middleware to work around a bug in the OWIN implementation
        app.UseKentorOwinCookieSaver();

        // Set Cookies as default authentication type
        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = CookieAuthenticationDefaults.AuthenticationType,
            LoginPath = new PathString("/Account/Login"),

            CookieSecure = CookieSecureOption.SameAsRequest
        });

        // Configure Auth0 authentication
        app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
        {
            AuthenticationType = "Auth0",

            Authority = $"https://{auth0Domain}",

            ClientId = auth0ClientId,
            ClientSecret = auth0ClientSecret,

            RedirectUri = auth0RedirectUri,
            PostLogoutRedirectUri = auth0PostLogoutRedirectUri,

            ResponseType = OpenIdConnectResponseType.CodeIdTokenToken,
            Scope = "openid profile email",

            TokenValidationParameters = new TokenValidationParameters
            {
                NameClaimType = "name",
                RoleClaimType = "https://schemas.maitsa.com/roles",
                
            },

            Notifications = new OpenIdConnectAuthenticationNotifications
            {
                SecurityTokenValidated = notification =>
                {
                    notification.AuthenticationTicket.Identity.AddClaim(new Claim("id_token", notification.ProtocolMessage.IdToken));
                    notification.AuthenticationTicket.Identity.AddClaim(new Claim("access_token", notification.ProtocolMessage.AccessToken));
                    //notification.AuthenticationTicket.Identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, notification.ProtocolMessage.UserId));
                    return Task.FromResult(0);
                },
                RedirectToIdentityProvider = notification =>
                {
                    if (notification.ProtocolMessage.RequestType == OpenIdConnectRequestType.Authentication)
                    {
                        notification.ProtocolMessage.SetParameter("audience", "https://dev-maitsa.eu.auth0.com/api/v2/");
                    }
                    else if (notification.ProtocolMessage.RequestType == OpenIdConnectRequestType.Logout)
                    {
                        var logoutUri = $"https://{auth0Domain}/v2/logout?client_id={auth0ClientId}";

                        var postLogoutUri = notification.ProtocolMessage.PostLogoutRedirectUri;
                        if (!string.IsNullOrEmpty(postLogoutUri))
                        {
                            if (postLogoutUri.StartsWith("/"))
                            {
                                // transform to absolute
                                var request = notification.Request;
                                postLogoutUri = request.Scheme + "://" + request.Host + request.PathBase + postLogoutUri;
                            }
                            logoutUri += $"&returnTo={ Uri.EscapeDataString(postLogoutUri)}";
                        }

                        notification.Response.Redirect(logoutUri);
                        notification.HandleResponse();
                    }
                    return Task.FromResult(0);
                },
                AuthenticationFailed = async authFailed =>
                {
                    if (authFailed.Exception.Message.Contains("IDX21323"))
                    {
                        if (authFailed?.Request?.Cookies != null)
                        {
                            foreach (var nonceCookie in authFailed.Request.Cookies.Where(c => c.Key.Contains("OpenIdConnect.nonce")))
                            {
                                authFailed.Response.Cookies.Delete(nonceCookie.Key);
                            }
                        }
                        authFailed.HandleResponse();
                        authFailed.OwinContext.Authentication.Challenge();
                    }
                    await Task.FromResult(true);
                }
            },

            CookieManager = new MaitsaCookieManager(),
            
        });
    }

public class MaitsaCookieManager : CookieManager, ICookieManager
{
public static readonly string CookiePath = $"{HostingEnvironment.ApplicationVirtualPath}/";
public new void AppendResponseCookie(IOwinContext context, string key, string value, CookieOptions options)
{
foreach (var cookie in context.Request.Cookies)
{
if(cookie.Key.Contains(“nonce”) && cookie.Key != key)
{
DeleteCookie(context, key, options);
}
}

        options.Expires = null;

        base.AppendResponseCookie(context, key, value, options);
    }
    public new void DeleteCookie(IOwinContext context, string key, CookieOptions options)
    {

        base.DeleteCookie(context, key, options);
    }

    public new string GetRequestCookie(IOwinContext context, string key)
    {
        return base.GetRequestCookie(context, key);
    }
}