.NET IDX21323 Error

Problem statement

This article explains the cause of the following error:

IDX21323: RequireNonce is 'True'. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'. Note if a 'nonce' is found it will be evaluated.


The error is due to the nonce cookie not being present in the request as indicated by ‘OpenIdConnectProtocolValidationContext.Nonce was null’.


The nonce cookie is set as same-site as None with the Secure option set, and it has a 15-minute lifetime. This should be good for all new browsers as long as the user stays on the login page for 15 minutes or less.

There is one caveat for old browsers: the None option isn’t defined. If explicitly set, it will be treated as strict, forcing the browser to drop the nonce cookie. The following Microsoft Documentation has a solution in a sample function named DisallowsSameSiteNone: SameSite cookies and the Open Web Interface for .NET (OWIN).