Nonce inside a0.spajs.txs cookie is blocked by Azure Front Door due to SQL injection threat

s.skillman · May 15, 2020, 5:32pm

Cross-posting as advised from nonce inside a0.spajs.txs cookie is blocked by Azure Front Door due to SQL injection threat · Issue #462 · auth0/auth0-spa-js · GitHub

We are having an issue whereby our Azure Front Door web application firewall is blocking requests to our /callback page after successful authentication on auth0. It seems auth0 sets a cookie for the SPA SDK which contains nonce that gets flagged by the WAF as being a threat due to a sequence of characters resembling a SQL injection.

We have added an exception in the WAF since it is no risk to us, but this may trip up others who are hosting their apps behind AFD’s WAF.

judydixon84 · May 5, 2021, 6:34pm

We are seeing this same issue. We tried adding an exclusion to the WAF to get around it but it is still getting blocked in the WAF. Tried both
{
“matchVariable”: “RequestCookieNames”,
“selectorMatchOperator”: “StartsWith”,
“selector”: “.AspNetCore.OpenIdConnect.Nonce”
}

and
{
“matchVariable”: “RequestCookieNames”,
“selectorMatchOperator”: “Contains”,
“selector”: “.AspNetCore.OpenIdConnect.Nonce”
}

Can you share what you added that worked?
Also tried to turn off the RequireNonce, by doing validator.RequireNonce = false;
But that crashed the app.

Topic		Replies	Views
The cookie .AspNetCore.OpenIdConnect.Nonce has set SameSite=None' and must also set 'Secure' Help login-experience , new-universal-login-experience	4	706	June 14, 2024
"@auth0/auth0-spa-js": "^1.12.1", Help api	8	4756	November 4, 2020
Nonce mismatch in OpenID Connect Enterprise Connections Help oidc	4	6382	December 7, 2019
Auth0-SPA-JS v2 is now GA! Announcements auth0-spa-js	0	2073	October 29, 2022
Getting IDX21323 : RequireNonce is 'PII is hidden' Help auth0 , login	5	7296	December 1, 2020

Nonce inside a0.spajs.txs cookie is blocked by Azure Front Door due to SQL injection threat

Related Topics