Search code examples
asp.netcookiesasp.net-coreopenid-connectsetcookie

Asp.net Core 1.1.2 OpenID connect cookies not being created on redirect, Set-Cookie header is added

I am using ASP.NET core 1.1.2 with OpenIDConnect to connect to a Single Sign On server by IdentityServer. "Microsoft.AspNetCore.Authentication.OpenIdConnect": "1.1.2"

Right now I am having a weird issue, that didn't happen until yesterday.

The initial cookies that should be created before being redirected to SSO server is not being created on browsers.

Using developer console on browsers, I can see the Set-Cookie header but cookies are not being stored.

   Content-Length: 0
   Date: Mon, 14 Jan 2019 18:50:10 GMT
   Location: http://mysso.com/connect/authorize?client_id=8111797110116117109&redirect_uri=http%3A%...ZD7cNnuWSmAoGyk2kERmR4hemQKsP2OKNbABYvybQCrdCMggrggDuY-5ZXnCTFf3oG11cR4Eh5N3Uarh99MD1nvJZrO4WsWDO73OQrEjh-zK3AceJzjfB2GH0gKKw-51SpcUWNgSTbQe517
   Server: Kestrel
   Set-Cookie: .AspNetCore.Correlation.oidc.I3lU6aE3BFH_4uuJ6KlgbpFl6Dij_WC-nyhlbUfvAPI=N; expires=Mon, 14 Jan 2019 18:07:24 GMT; path=/; httponly
   Set-Cookie: .AspNetCore.OpenIdConnect.Nonce.CfDJ8BWkCPQm5ElIof7iuryYpWDHYvyls6nYDr84XfQAIcLzg0ktLHIGOP7Tp_eqbvDOTdcQqnKIIogwMad9tWSy9v8BPnN8VUBucuz8qc9kv5Pkpe5aCg9oh6dgQD79a-w8Lc9haFm_tOEze1Wzna3XG7OzcGhw8kwyU5j3K_sK3Z7Y-u3cE_pey9DVbBzZkZStJXpoNjG_HWJHBjuqv7ADfCc91Oi83Ieuk7bBue8md1v2WqvSji3ziHkqyw9FKTV44Iw2Kg4o8Rf_3G-Q9ITNwr8=N; expires=Mon, 14 Jan 2019 18:07:24 GMT; path=/; httponly
   X-Powered-By: ASP.NET

I checked if the cookies are being expired before creation but, they all have 10 min time left before expiry.

This issue is happening on all major browsers (edge, chrome, firefox), not just my pc but others too.

Configuration code 

 app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
            {
                Authority = Configuration["SSOConfig:ServerUrl"],
                AuthenticationScheme = "oidc",
                SignInScheme = AuthenticationScheme.Cookies,
                RequireHttpsMetadata = false,
                ClientId = Configuration["SSOConfig:ClientId"],
                ClientSecret = Configuration["SSOConfig:ClientSecret"],
                ResponseType = "code id_token",
                Scope = { "openid", "offline_access" },
                SaveTokens = false,

I tried adding cookies manually, and it is working.

HttpContextAccessor.HttpContext.Response.Cookies.Append("Test", "test");

Solution

  • Seems like, somehow the cookies set were expired cookies.

    I had to upgrade the system to .net core 2. The difference I found between the two was on set-cookie. path=/signin-oidc; secure

       Date: Tue, 15 Jan 2019 10:53:04 GMT
   Location: https://mysso.com/connect/authorize?client_id=8111797110243116117109&redirect_ur...
   Server: Kestrel
   Set-Cookie: .AspNetCore.Correlation.oidc.Iy3pTZ-akQm6BzLMCdBPLz1CAGTJ70QgQtjkY9Kvg1Y=N; expires=Tue, 15 Jan 2019 11:08:04 GMT; path=/signin-oidc; secure; httponly
   Set-Cookie: .AspNetCore.OpenIdConnect.Nonce.CfDJ8Oct5aw6xUJOnpJ_-0Ep-nSLfWIXgaEiH7y-0IN9tx61lNrxFhgAzLvLlBQfOfBBegyRJrEsIZFi00iuUt90cJ_bMQI_1XTVr0SiBCAJ9wqR2682VrYe2IbjIrFuB9d-Mmu-ztw-O2Htzd8Z36ndD8zPsgSCY_RD6JYVRe4MTfFBQbDZRxMQ3rgB_ulvSZmshD7vB4gvgcsbLyiY2wVuKzVGEKgJxgq23nxzkNKkL-vHm6w_41D_rZI5_V9hDsfrShFuTViZNttAes1fmA2jMTQ=N; expires=Tue, 15 Jan 2019 11:08:04 GMT; path=/signin-oidc; secure; httponly
   X-Powered-By: ASP.NET``