Silent Authentication - Correlation Failed

After successful silent authentication, i am getting “Correlation Failed” error due to session cookies are not building up for second application .

I’m following below Auth0 tutorial for Silent Authentication Implementation:

Any help in this regard would be appreciated.

Hey there @sonia.shah, I’m sorry for the delay in response.

One of our senior engineers has put together a great response for this problem in the past which I will quote below:

The “Correlation failed” message is the .Net OIDC SDK’s login CSRF attack protection at work. The OAuth2 protocol, on which OIDC is based, asks client applications to use the state parameter to ensure that the authentication response received in the application matches a request done by the same user.

The .Net OIDC stack stores a correlation id in a cookie and includes the same value in the state parameter. When receiving the authentication response (which contains the same state used in the request) it checks that the correlation id in the state can be found in a cookie, thus ensuring that the browser from where the authentication response is delivered also initiated the request.

The “Sign in” feature essentially generates an authentication response that the application didn’t ask for (and it can’t provide a state ), so every client application that correctly implements the OAuth2 protocol will fail the correlation check. This check was less common a few years ago, but as implementors start using the appropriate security measures the “Sign in as” flow becomes essentially impossible to use.

In the event this did not help you or you have since overcame the challenge please let me know. Due to the age of the topic, I will keep this open for another ten days unless I hear otherwise from you. Also if you have any additional questions feel free to ask!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.