The cookie .AspNetCore.OpenIdConnect.Nonce has set SameSite=None' and must also set 'Secure'

psantosl · June 13, 2024, 5:10pm

Hi Andrea,

We were finally able to fix it a few hours ago.

Problems we found:

The official examples use a .cshtml page to implement the login (and logout). Since cshtml wasn’t loaded by the Blazor app (no idea how to make it work, never worked), we implemented a Login.razor as follows:

@page "/login"
@using Auth0.AspNetCore.Authentication
@using Microsoft.AspNetCore.Authentication;
@inject IHttpContextAccessor HttpContextAccessor



@code {
    
    private string redirectUri = "";

    protected override async Task OnInitializedAsync()
    {
        var authenticationProperties = new LoginAuthenticationPropertiesBuilder()
                .WithRedirectUri(redirectUri)
                .Build();

        await HttpContextAccessor.HttpContext.ChallengeAsync(Auth0Constants.AuthenticationScheme, authenticationProperties);
    }

    
}

For some reason I don’t know, this provoked the infinite loop. The login “seemed to work” but when returning to the callback, it stayed there forever, loading some Nounce cookie again and again until the error was that the headers were too long.

Then we deleted these 2 razor pages (Login as above and Logout) and used this one as explained in your blogpost: Add Auth0 Authentication to Blazor Web Apps

app.MapGet("/Account/Login", async (HttpContext httpContext, string redirectUri = "/") =>
{
  var authenticationProperties = new LoginAuthenticationPropertiesBuilder()
          .WithRedirectUri(redirectUri)
          .Build();
  await httpContext.ChallengeAsync(Auth0Constants.AuthenticationScheme, authenticationProperties);
});

app.MapGet("/Account/Logout", async (HttpContext httpContext, string redirectUri = "/") =>
{
  var authenticationProperties = new LogoutAuthenticationPropertiesBuilder()
          .WithRedirectUri(redirectUri)
          .Build();
  await httpContext.SignOutAsync(Auth0Constants.AuthenticationScheme, authenticationProperties);
  await httpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
});

Then everything started to work.

By the way, we had to add this too since inside Container Apps the code doesn’t use HTTPS (this is handled outside):

app.UseForwardedHeaders(new ForwardedHeadersOptions
{	{
      ForwardedHeaders = ForwardedHeaders.XForwardedProto	      ForwardedHeaders = ForwardedHeaders.XForwardedProto
});	});


app.UseCookiePolicy(new CookiePolicyOptions	app.UseAuthentication();
{	app.UseAuthorization();
    HttpOnly = HttpOnlyPolicy.Always,	
    MinimumSameSitePolicy = SameSiteMode.None,
}

This happens before

app.UseAuthentication();

Otherwise I believe nothing works.

Hope it helps others.

Topic		Replies	Views
.NET Blazor App and Auth0 Help identifier-first , login-experience	2	99	July 9, 2024
What is Blazor? A Tutorial on Building Web Apps with Authentication Blog Discussions .net , aspnet-core , net-core , blazor , dotnet	173	23431	May 30, 2024
Auth0 + Azure Container Apps + Azure APIM + dotnet blazor Help configuration , application	3	39	September 5, 2024
Auth0 Blazor wrong redirect_url behind NGINX reverse proxy Help classic-universal-login-experience , login-experience	3	133	August 15, 2024
AspNetCore.Authentication issue with login path and redirect_uri Help login-experience , new-universal-login-experience	1	507	July 2, 2024

The cookie .AspNetCore.OpenIdConnect.Nonce has set SameSite=None' and must also set 'Secure'

Related Topics