Aspnetcore authentication Correlation failed

Question

I've searched through the different SO answers and on Aspnetcore Authentication on GIT but none of the solutions help. I have an issue with "correlation failed" and the reason is the correlation cookie is not being set even though it's clearly in the response header of the redirect to Google. enter image description here

Here's the response in Fiddler:

HTTP/1.1 302 Found Location: https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=996823962179-1vvr5h2icjroveset9849e8aqdks1g66.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Flocalhost%2Fsignin-google&scope=openid%20profile%20email&state=CfDJ8EGRdEf8M7VDtyNKY6R10TxxM2kHFoDlOBkCQKoMQJXX3QPKcyH8quz80oy8Wd7Rq1Nnb-KhklzrC-XK4WOhikAVtJuFHIk_M4ZvLY8Le2FkjVNxJrHDsZeg7o1sMrABd_md1jxi-LelhURiB54SUAHbaJciseDc5NP897CSsrtYoPt_IWyqNOdxCjPntxwHYUzO2ZxIcfSLaLGu8rWlfHTEqvj_N7KQ0k8HQ8VwPYDXjAMwjjsGRdxR6dOl-vNfzfOqX0wZelvVsX5UIfzMjlCJ20lQxLIhlkhkpne14EYYNkJufqF4ZADD13jvsj4qnw Server: Kestrel Set-Cookie: .AspNetCore.Correlation.Google.WKzW6di96f3Fbh4ThkfIFHteUvNLusesaT0VjAMhrDU=N; expires=Sat, 17 Nov 2018 16:14:20 GMT; path=/signin-google; secure; samesite=strict; httponly Set-Cookie: .AspNetCore.Mvc.CookieTempDataProvider=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/; secure; samesite=strict; httponly Date: Fri, 28 Dec 2018 03:45:54 GMT Content-Length: 0

I have the dataprotection set to store keys to one location and that is working as expected. My source control is here: https://github.com/jjkesinger/charts/tree/master/Charts

Any ideas? Does TLS on the local machine have anything to do with it? I can clone this project to another machine and it works fine. The machine it isn't working on is a Windows 10 dell experion

Answer 1

SamesiteMode.Lax does not login you immediately

You need to use this code :

    .AddGoogle(o =>
    {
        o.ClientId = _configuration.GetValue<string>("ClientId");
        o.ClientSecret = _configuration.GetValue<string>("ClientSecret");
        o.SignInScheme = IdentityConstants.ExternalScheme;
        o.CorrelationCookie.SameSite = SameSiteMode.Unspecified;
    }) 

and it works!

Answer 2

I had this issue as well and had to set the the following options:

services.AddAuthentication().AddGoogle(g => 
{
   g.ClientId = XXXXXXX;
   g.ClientSecret = XXXXXX;
   g.CorrelationCookie.SameSite = SameSiteMode.Lax
}

The last line is what fixed my problem.

Answer 3

I've been fighting this issue for over a week and finally got the solution from Tanver on the Auth0 help desk. SameSite.None requires you to run your web server (even localhost) via https. Fixed my problem!

Answer 4

Although in your case the real problem was that you had a cookie policy of samesite=strict, what this error normally means is that the REDIRECT_URI defined in the app registration at the identity provider does not correlate with (does not match) the value supplied in options.CallbackPath.

I think they say "correlate" rather than "match" because it doesn't have to be the same string. In the sample below I supply only /signin-microsoft because this correlates to both http://localhost:5000/signin-microsoft and https://production-domain-name/app-path.../signin-microsoft both of which are define in the app registration on Azure.

.AddMicrosoftAccount(microsoftOptions =>
{
    microsoftOptions.ClientId = Configuration["Authentication:Microsoft:ClientId"];
    microsoftOptions.ClientSecret = Configuration["Authentication:Microsoft:ClientSecret"];
    // SET THIS TO CORRELATE WITH REDIRECT_URI THAT YOU  
    // DEFINED IN THE APP REGISTRATION AT THE APP PROVIDER
    microsoftOptions.CallbackPath = "/signin-microsoft"; 
})

Despite being technically reasonable, this is a very unhelpful exception message. There's no reason they couldn't have said WRONG CALLBACK PATH Provider did not call back on the path specified in options.CallbackPath Ensure REDIRECT_URI in app registration at provider correlates to the value supplied in options.CallbackPath

None of the samples specify a callback path so chances are high that many people will not supply one at all (also leading to this problem).