The cookie .AspNetCore.OpenIdConnect.Nonce has set SameSite=None' and must also set 'Secure'

psantosl · June 12, 2024, 5:59pm

I’m new to auth0 and also to blazor server.

I’m creating a blazor server app. Integrated it with auth0 following the .net 8 tutorial: https://auth0.com/blog/auth0-authentication-blazor-web-apps/ thanks to @andrea.chiarelli .

Now, I deployed the app to Azure Container Apps: there basically the app run in HTTP, and the infrastructure handles the https thing. Nothing worked until I added this to Program.cs:

app.UseForwardedHeaders(new ForwardedHeadersOptions
{
      ForwardedHeaders = ForwardedHeaders.XForwardedProto
})

Now, when I try to login, I get a weird error when auth0 tries to go to the callback url: it simply throws a HTTP ERROR 431 and my Chrome stays kinda black.

It takes FOREVER to return from the login page in auth0.

If I check the code of my server, all the time it is taking forever, something like this is displayed in the log all the time:

  The cookie '.AspNetCore.OpenIdConnect.Nonce.CfDxxxxxxxxxx' has set 'SameSite=None' and must also set 'Secure'.

And no idea what to do after that.

Thanks

(BTW, no idea how to select the proper tags… I was trying to get dotnet and blazor)

andrea.chiarelli · June 13, 2024, 4:52pm

Hi @psantosl,
I’m not familiar with Azure Container Apps, but I don’t think it’s a specific problem with Auth0 and Blazor as much as it is with the configuration of an ASP.NET Core application within a container.

I can confirm that you need to forward headers. Not sure if forwarding just the protocol is enough. Have a look here to learn more.

Not sure if the HTTP 431 status code can depend on the correct header forwarding configuration. Otherwise, you can take a look at this article, which seems to address Kestrel’s configuration (not sure).

Finally, I would see if the previous investigations and fixes might also fix the cookie issue.

psantosl · June 13, 2024, 5:10pm

Hi Andrea,

We were finally able to fix it a few hours ago.

Problems we found:

The official examples use a .cshtml page to implement the login (and logout). Since cshtml wasn’t loaded by the Blazor app (no idea how to make it work, never worked), we implemented a Login.razor as follows:

@page "/login"
@using Auth0.AspNetCore.Authentication
@using Microsoft.AspNetCore.Authentication;
@inject IHttpContextAccessor HttpContextAccessor



@code {
    
    private string redirectUri = "";

    protected override async Task OnInitializedAsync()
    {
        var authenticationProperties = new LoginAuthenticationPropertiesBuilder()
                .WithRedirectUri(redirectUri)
                .Build();

        await HttpContextAccessor.HttpContext.ChallengeAsync(Auth0Constants.AuthenticationScheme, authenticationProperties);
    }

    
}

For some reason I don’t know, this provoked the infinite loop. The login “seemed to work” but when returning to the callback, it stayed there forever, loading some Nounce cookie again and again until the error was that the headers were too long.

Then we deleted these 2 razor pages (Login as above and Logout) and used this one as explained in your blogpost: Add Auth0 Authentication to Blazor Web Apps

app.MapGet("/Account/Login", async (HttpContext httpContext, string redirectUri = "/") =>
{
  var authenticationProperties = new LoginAuthenticationPropertiesBuilder()
          .WithRedirectUri(redirectUri)
          .Build();
  await httpContext.ChallengeAsync(Auth0Constants.AuthenticationScheme, authenticationProperties);
});

app.MapGet("/Account/Logout", async (HttpContext httpContext, string redirectUri = "/") =>
{
  var authenticationProperties = new LogoutAuthenticationPropertiesBuilder()
          .WithRedirectUri(redirectUri)
          .Build();
  await httpContext.SignOutAsync(Auth0Constants.AuthenticationScheme, authenticationProperties);
  await httpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
});

Then everything started to work.

By the way, we had to add this too since inside Container Apps the code doesn’t use HTTPS (this is handled outside):

app.UseForwardedHeaders(new ForwardedHeadersOptions
{	{
      ForwardedHeaders = ForwardedHeaders.XForwardedProto	      ForwardedHeaders = ForwardedHeaders.XForwardedProto
});	});


app.UseCookiePolicy(new CookiePolicyOptions	app.UseAuthentication();
{	app.UseAuthorization();
    HttpOnly = HttpOnlyPolicy.Always,	
    MinimumSameSitePolicy = SameSiteMode.None,
}

This happens before

app.UseAuthentication();

Otherwise I believe nothing works.

Hope it helps others.

andrea.chiarelli · June 14, 2024, 7:30am

Hey @psantosl,
Thank you so much for sharing your solution! That will help others for sure

I see that there was some mix up between .NET 7 and .NET 8 code
Glad to hear that you fixed it anyway!

system · June 28, 2024, 7:30am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Issues .NET Core, Auth0 and NGINX Help configuration , application	2	374	February 16, 2024
Login response cookie not set to Secure Help auth0 , login	0	1619	July 11, 2022
.NET Blazor App and Auth0 Help identifier-first , login-experience	2	111	July 9, 2024
Access token not recognized on subsequent calls to the API Help sessions , authentication-sessions	6	1526	April 18, 2023
What is Blazor? A Tutorial on Building Web Apps with Authentication Blog Discussions .net , aspnet-core , net-core , blazor , dotnet	173	23462	May 30, 2024

The cookie .AspNetCore.OpenIdConnect.Nonce has set SameSite=None' and must also set 'Secure'

Related topics