Nonce inside a0.spajs.txs cookie is blocked by Azure Front Door due to SQL injection threat

Cross-posting as advised from nonce inside a0.spajs.txs cookie is blocked by Azure Front Door due to SQL injection threat · Issue #462 · auth0/auth0-spa-js · GitHub

We are having an issue whereby our Azure Front Door web application firewall is blocking requests to our /callback page after successful authentication on auth0. It seems auth0 sets a cookie for the SPA SDK which contains nonce that gets flagged by the WAF as being a threat due to a sequence of characters resembling a SQL injection.

We have added an exception in the WAF since it is no risk to us, but this may trip up others who are hosting their apps behind AFD’s WAF.

1 Like

We are seeing this same issue. We tried adding an exclusion to the WAF to get around it but it is still getting blocked in the WAF. Tried both
{
“matchVariable”: “RequestCookieNames”,
“selectorMatchOperator”: “StartsWith”,
“selector”: “.AspNetCore.OpenIdConnect.Nonce”
}

and
{
“matchVariable”: “RequestCookieNames”,
“selectorMatchOperator”: “Contains”,
“selector”: “.AspNetCore.OpenIdConnect.Nonce”
}

Can you share what you added that worked?
Also tried to turn off the RequireNonce, by doing validator.RequireNonce = false;
But that crashed the app.