I'm running my aspnet core application locally on http://localhost:5002 and for some reasons I don't want to use https. It uses OpenIdConnect middleware for authentication and it produces temporary cookie as shown below:
As a result Chrome blocks these cookies because of missing secure
flag. From the other hand this request is HTTP (insecure) and it's impossible to mark the cookies secure
. The only way I see is to avoid using HTTP and switch to HTTPS which is not a good option for me for local development. Can I still use HTTP
+ OpenIdConnect middleware
+ Crome
and what is a workaround?
Perhaps this could shed some light- LINK.
From the article
Chrome is changing the default behavior for how cookies will be sent in first and third party contexts. Cookies that do not specify a SameSite attribute will be treated as if they specified SameSite=Lax, i.e. they will be restricted to first-party or same-site contexts by default. Cookies that are intended for third-party or cross-site contexts must specify SameSite=None and Secure. Note: this also means cross-site or third-party cookies are restricted to secure / HTTPS connections only.
Since, I am guessing, your auth server is server from another domain its a third-party cookie, so it falls under the new Chrome (>= v80) policies.
The workaround here would be either a downgrade in your Chrome version or use a browser without these restrictions.