OIDC NonceCookie/CorrelationCookie not accepted by latest Chrome/Edge in some cases

[andi0b]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

I have a website that uses OpenID Connect with the Microsoft.IdentityModel.Protocols.OpenIdConnect library. It runs on HTTP behind an Azure App Serivice (reverse proxy), which communicates via the browser over HTTPS.

The OIDC middleware creates two cookies, .AspNetCore.OpenIdConnect.Nonce... and .AspNetCore.Correlation.... Because ASP.NET Core thinks it is running on HTTP (no Forwarded Headers Middleware), it doesn't set the Secure flag of the cookie. But it still declares it as SameSite=None which makes Chrome/Edge 107 ignore the Set-Cookie header. Which always causes a failed login. Current Firefox accepts the cookie.

Workaround:

builder.AddOpenIdConnect((OpenIdConnectOptions options) =>
{
    // your settings...
    options.NonceCookie.SecurePolicy = CookieSecurePolicy.Always;
    options.CorrelationCookie.SecurePolicy = CookieSecurePolicy.Always;
});

Screenshot of the Edge dev tools. The exclamation mark shows a message like: This attempt to set a cookie via a Set-Cookie header was blicked because it had the "SameSite=None" attribute but did not have the "Secure" attribute, which is required in order to use "SameSite=None"

Expected Behavior

The default for the cookie builder should either be SameSite=Lax or SameSite=None, Secure=true. It anyway doesn't make a lot of sense to allow OIDC via an insecure HTTP connection.

aspnetcore/src/Security/Authentication/OpenIdConnect/src/OpenIdConnectOptions.cs

Lines 68 to 76 in 0f51760

	_nonceCookieBuilder = new OpenIdConnectNonceCookieBuilder(this)
	{
	Name = OpenIdConnectDefaults.CookieNoncePrefix,
	HttpOnly = true,
	SameSite = SameSiteMode.None,
	SecurePolicy = CookieSecurePolicy.SameAsRequest,
	IsEssential = true,
	};
	}

Steps To Reproduce

No response

Exceptions (if any)

No response

.NET Version

7.0.100-rc.2.22477.23

Anything else?

asp.net core 7.0 rc2

[Tratcher]

Because ASP.NET Core thinks it is running on HTTP (no Forwarded Headers Middleware), it doesn't set the Secure flag of the cookie.

You need to get the request scheme set right (HTTPS) for several reasons, fixing only this issue likely won't fix your whole scenario. The main issue is that your redirect uri will also be HTTP and the IDP will likely reject that.

[andi0b]

True, but we're setting the redirect URL via a config parameter (for some other reasons).

I know this is an edge case. But in my opinion it doesn't make a lot of sense that the default configuration can issues cookies that are rejected by major browsers.

[Tratcher]

Are you interested in sending a PR to change SecurePolicy to CookieSecurePolicy.Always for all places where we use SameSite=None? It will mostly involve updating tests.

Thanks for contacting us.

We're moving this issue to the .NET 8 Planning milestone for future evaluation / consideration. We would like to keep this around to collect more feedback, which can help us with prioritizing this work. We will re-evaluate this issue, during our next planning meeting(s).
If we later determine, that the issue has no community involvement, or it's very rare and low-impact issue, we will close it - so that the team can focus on more important and high impact issues.
To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.

[singh733]

@Tratcher I have dig into the code and figure out that we are calling at SameSite = SameSiteMode.None at 2 places

a)

aspnetcore/src/Security/Authentication/OpenIdConnect/src/OpenIdConnectOptions.cs

Lines 68 to 76 in 0f51760

	_nonceCookieBuilder = new OpenIdConnectNonceCookieBuilder(this)
	{
	Name = OpenIdConnectDefaults.CookieNoncePrefix,
	HttpOnly = true,
	SameSite = SameSiteMode.None,
	SecurePolicy = CookieSecurePolicy.SameAsRequest,
	IsEssential = true,
	};
	}

b)

aspnetcore/src/Security/Authentication/Core/src/RemoteAuthenticationOptions.cs

Lines 22 to 32 in 0f51760

	public RemoteAuthenticationOptions()
	{
	_correlationCookieBuilder = new CorrelationCookieBuilder(this)
	{
	Name = CorrelationPrefix,
	HttpOnly = true,
	SameSite = SameSiteMode.None,
	SecurePolicy = CookieSecurePolicy.SameAsRequest,
	IsEssential = true,
	};
	}

I will make the changes for SecurePolicy as below. Also I will fix the unit test which is failing. Please let me know if I miss anything.

public RemoteAuthenticationOptions()
    {
        _correlationCookieBuilder = new CorrelationCookieBuilder(this)
        {
            Name = CorrelationPrefix,
            HttpOnly = true,
            SameSite = SameSiteMode.None,
            SecurePolicy = CookieSecurePolicy.Always,
            IsEssential = true,
        };
    }

[Tratcher]

Sounds good.