What could cause a correlation cookie to not be returned on specific devices

Question

We have some users who cannot connect to our platform via Google. When this happens, it's always for a specific device, but with the information we have so far, it's not all the same device kind (to be confirmed).

We're using ASP.NET Core (and Identity Server 4).

The error on our side is that upon returning from the oauth flow, the correlation cookie set by ASP.NET identity is gone. We have verified that it's well set at the beginning, and is valid. It's not an issue about data protection (we do have this in place). We can reproduce on two iPads with iOS 12, no matter which account we try to connect with. All those accounts can connect on other devices, including iPads with iOS 13.

So we're trying to isolate what could make those specific devices fail. Also, it seems this only started to happen recently, and we can't identify what change could have triggered this on our side.

Update 1

Updating an iPad from iOS 12 to iOS 13 solves the issue.

Answer 1

Maybe you can use this code in AddOpenIdConnect("").

If you use .net core > 2.*

options.NonceCookie.SameSite = (SameSiteMode) (-1); 
options.CorrelationCookie.SameSite = (SameSiteMode) (-1); 

If you use .net > 3.*

options.NonceCookie.SameSite = SameSiteMode.Unspecified;
options.CorrelationCookie.SameSite = SameSiteMode.Unspecified;

Answer 2

On 2019/11/19, .NET Core v2.2.8 was released. This version includes this change, which mentions in the patch notes:

Risk: Medium. The SameSite changes are known to be incompatible with older OSs and browsers, especially iOS 12 and OSX Mojave (latest - 1). These represent a small but influential portion of the web client user base. Updating to the latest OS version addresses the incompatibility.

Since our Docker images are based on mcr.microsoft.com/dotnet/core/aspnet:2.2, an irrelevant update which happened on Dec. 3rd pushed that update to our servers.

This blog post explains the situation in more details, but in short:

• Chrome v80 will start defaulting to Lax when a set-cookie does not specify a SameSite value, instead of defaulting to None
• When setting a cookie's SameSite=None, ASP.NET Core was not sending the SameSite value to set-cookie, assuming that browsers default to None
• Starting with v2.2.8, ASP.NET Core is always sending SameSite=None
• Safari on iOS 12 and macOS 10.14 Mojave treat SameSite=None as SameSite=Strict (see this webkit bug for details)
• Therefore, our correlation cookie is treated as strict on those OSes, which means that they are not sent back as intended.

Though we could revert to 2.2.7, the upcoming Chrome update (80) would stop working. Fortunately, this article clearly states the proper course of action: we need to implement user agent sniffing and not send the SameSite=None to user agents which do not support it. This comment mentions suggested user agents to filter, which looks good.