Open Web Interface for .NET Cannot Login, "IDX21323: RequireNonce is '[PII is hidden]'" or "RequireNonce is 'True'"

Problem statement

When building an app with an Open Web Interface for .NET (OWIN), an error occurs with the message “IDX21323: RequireNonce is ‘[PII is hidden]’” or “RequireNonce is ‘True’” after inputting the password and the MFA code. It is reproduced only after waiting a couple of minutes before finishing the login flow (it typically happens when there is a delay in the SMS MFA code delivery.)

Symptoms

Full error message:

Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolInvalidNonceException: IDX21323: RequireNonce is ‘[PII is hidden]’. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don’t need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to ‘false’. Note if a ‘nonce’ is found it will be evaluated.

(Note: the “IDX21323: RequireNonce is ‘[PII is hidden]’” part can be “IDX21323: RequireNonce is ‘True’” instead.)

Steps to reproduce

(1) Use the Quickstart app: Auth0 ASP.NET (OWIN) SDK Quickstarts: Login
(2) Start the login flow. Input an email.
(3) Before entering the password, wait for 2 minutes.
(4) Enter the password and submit.
(5) The /callback endpoint returns 500 with the error message “IDX21323: RequireNonce is ‘True’. OpenIdConnectProtocolValidationContext.Nonce was null…”

Waiting more than 2 minutes before submitting credentials causes the app to fail validating the “nonce” parameter stored in a cookie. The browser drops the nonce cookie if you wait more than 2 minutes.

Successful (when finishing the login flow in under 2 minutes):
Screenshot 2023-10-15 at 12.33.16.png

Failed (when waiting more than 2 minutes):
Screenshot 2023-10-15 at 12.40.56.png

Troubleshooting

Record a HAR file of the login flow. In the har file, locate the /callback POST request and check whether a cookie containing the nonce parameter is attached to the request.

Cause

This issue can occur when serving the app over HTTP (unencrypted) on the localhost environment.

In the following scenario, Chromium will drop Cross-Site cookies:

  • Visit website A (your application) and get some cookies.
  • Then, visit website B (Auth0 tenant).
  • When website B makes a POST request to website A, cookies issued for website A won’t be attached.

A 2 minute delay is occurring because there is a “Grace Period” before the browser drops cookies, as described in the Chromium FAQ. Specifically, a cookie that is at most 2 minutes old will be sent on a top-level cross-site POST request.

Solution

Serve the app over HTTPS to add the “Secure” attribute to the cookie.
The OWIN library will automatically add the “Secure” attribute to the nonce cookie when the app is served over HTTPS.
This cannot be done on the localhost environment served over HTTP.

If it doesn’t solve the issue, try the “SameSite=None” setting.

Note this is only an example code and is not production ready:

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    // other options...
    CookieSameSite = SameSiteMode.None,
});