Menu
We have some users who cannot connect to our platform via Google. When this happens, it's always for a specific device, but with the information we have so far, it's not all the same device kind (to be confirmed).
We're using ASP.NET Core (and Identity Server 4).
The error on our side is that upon returning from the oauth flow, the correlation cookie set by ASP.NET identity is gone. We have verified that it's well set at the beginning, and is valid. It's not an issue about data protection (we do have this in place). We can reproduce on two iPads with iOS 12, no matter which account we try to connect with. All those accounts can connect on other devices, including iPads with iOS 13.
So we're trying to isolate what could make those specific devices fail. Also, it seems this only started to happen recently, and we can't identify what change could have triggered this on our side.
Updating an iPad from iOS 12 to iOS 13 solves the issue.
269
This correlation cookie remembers security data such as the request ID, relay state, and the ASP.NET authentication properties. By default, the correlation cookie has its SameSite flag set to None and a SecurePolicy of CookieSecurePolicy.
CookieAuth: CookiePolicyOptions provides programmatic configuration for the CookiePolicyMiddleware. services. Configure<CookiePolicyOptions>(options => { options. HttpOnly = true; ... }); This part is a set up of the Cookie policy in terms of privacy, GDPR(for Europe) and other policies.
Maybe you can use this code in AddOpenIdConnect("").
If you use .net core > 2.*
options.NonceCookie.SameSite = (SameSiteMode) (-1);
options.CorrelationCookie.SameSite = (SameSiteMode) (-1);
If you use .net > 3.*
options.NonceCookie.SameSite = SameSiteMode.Unspecified;
options.CorrelationCookie.SameSite = SameSiteMode.Unspecified;
On 2019/11/19, .NET Core v2.2.8 was released. This version includes this change, which mentions in the patch notes:
Risk: Medium. The SameSite changes are known to be incompatible with older OSs and browsers, especially iOS 12 and OSX Mojave (latest - 1). These represent a small but influential portion of the web client user base. Updating to the latest OS version addresses the incompatibility.
Since our Docker images are based on mcr.microsoft.com/dotnet/core/aspnet:2.2, an irrelevant update which happened on Dec. 3rd pushed that update to our servers.
This blog post explains the situation in more details, but in short:
set-cookie does not specify a SameSite value, instead of defaulting to None
SameSite=None, ASP.NET Core was not sending the SameSite value to set-cookie, assuming that browsers default to None
SameSite=None
SameSite=None as SameSite=Strict (see this webkit bug for details)Though we could revert to 2.2.7, the upcoming Chrome update (80) would stop working. Fortunately, this article clearly states the proper course of action: we need to implement user agent sniffing and not send the SameSite=None to user agents which do not support it. This comment mentions suggested user agents to filter, which looks good.
37
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With