The cookie .AspNetCore.OpenIdConnect.Nonce has set SameSite=None' and must also set 'Secure'

Help
,
3

Hi Andrea,

We were finally able to fix it a few hours ago.

Problems we found:

  1. The official examples use a .cshtml page to implement the login (and logout). Since cshtml wasn’t loaded by the Blazor app (no idea how to make it work, never worked), we implemented a Login.razor as follows:
@page "/login"
@using Auth0.AspNetCore.Authentication
@using Microsoft.AspNetCore.Authentication;
@inject IHttpContextAccessor HttpContextAccessor



@code {
    
    private string redirectUri = "";

    protected override async Task OnInitializedAsync()
    {
        var authenticationProperties = new LoginAuthenticationPropertiesBuilder()
                .WithRedirectUri(redirectUri)
                .Build();

        await HttpContextAccessor.HttpContext.ChallengeAsync(Auth0Constants.AuthenticationScheme, authenticationProperties);
    }

    
}

For some reason I don’t know, this provoked the infinite loop. The login “seemed to work” but when returning to the callback, it stayed there forever, loading some Nounce cookie again and again until the error was that the headers were too long.

  1. Then we deleted these 2 razor pages (Login as above and Logout) and used this one as explained in your blogpost: Add Auth0 Authentication to Blazor Web Apps
app.MapGet("/Account/Login", async (HttpContext httpContext, string redirectUri = "/") =>
{
  var authenticationProperties = new LoginAuthenticationPropertiesBuilder()
          .WithRedirectUri(redirectUri)
          .Build();
  await httpContext.ChallengeAsync(Auth0Constants.AuthenticationScheme, authenticationProperties);
});

app.MapGet("/Account/Logout", async (HttpContext httpContext, string redirectUri = "/") =>
{
  var authenticationProperties = new LogoutAuthenticationPropertiesBuilder()
          .WithRedirectUri(redirectUri)
          .Build();
  await httpContext.SignOutAsync(Auth0Constants.AuthenticationScheme, authenticationProperties);
  await httpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
});

Then everything started to work.

By the way, we had to add this too since inside Container Apps the code doesn’t use HTTPS (this is handled outside):

app.UseForwardedHeaders(new ForwardedHeadersOptions
{	{
      ForwardedHeaders = ForwardedHeaders.XForwardedProto	      ForwardedHeaders = ForwardedHeaders.XForwardedProto
});	});


app.UseCookiePolicy(new CookiePolicyOptions	app.UseAuthentication();
{	app.UseAuthorization();
    HttpOnly = HttpOnlyPolicy.Always,	
    MinimumSameSitePolicy = SameSiteMode.None,
}

This happens before

app.UseAuthentication();

Otherwise I believe nothing works.

Hope it helps others.

1 Like