Identity Server SameSite=None cannot login

Question

I'm working on an application that uses IdentityServer 4 and .Net 5 I created the project based on the 'with React.js' with Individual Authentication template.

Everything works correctly when I run the application locally, if I run it through docker however, when I attempt to login something silently fails and redirects me back to the login screen

My only guess is something with the authentication cookies are messed up as I'm seeing these messages when the login/redirect happens

warn: Microsoft.AspNetCore.Http.ResponseCookies[1]
      The cookie 'Identity.External' has set 'SameSite=None' and must also set 'Secure'.
warn: Microsoft.AspNetCore.Http.ResponseCookies[1]
      The cookie 'idsrv.session' has set 'SameSite=None' and must also set 'Secure'.
warn: Microsoft.AspNetCore.Http.ResponseCookies[1]
      The cookie '.AspNetCore.Identity.Application' has set 'SameSite=None' and must also set 'Secure'.

I've attempted to change the cookies SecurePolicy to CookieSecurePolicy.Always

                services.AddAuthentication()
                    .AddIdentityServerJwt()
                    .AddCookie(options =>
                    {
                        options.CookieManager = new ChunkingCookieManager();
                        options.Cookie.HttpOnly = true;
                        options.Cookie.SameSite = SameSiteMode.None;
                        options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
                    });

But it didn't have any affect, any idea as to why this issue is happening?

Thanks

Answer 1

Try to use it like in Scoruba's Identity Server.

It works good for me.

services.Configure<CookiePolicyOptions>(options =>
{
    options.MinimumSameSitePolicy = SameSiteMode.Unspecified;
    options.Secure = CookieSecurePolicy.SameAsRequest;
    options.OnAppendCookie = cookieContext =>
        AuthenticationHelpers.CheckSameSite(cookieContext.Context, cookieContext.CookieOptions);
    options.OnDeleteCookie = cookieContext =>
        AuthenticationHelpers.CheckSameSite(cookieContext.Context, cookieContext.CookieOptions);
});

public static class AuthenticationHelpers
  {
    public static void CheckSameSite(HttpContext httpContext, CookieOptions options)
    {
      if (options.SameSite != SameSiteMode.None)
        return;
      string userAgent = httpContext.Request.Headers["User-Agent"].ToString();
      if (httpContext.Request.IsHttps && !AuthenticationHelpers.DisallowsSameSiteNone(userAgent))
        return;
      options.SameSite = SameSiteMode.Unspecified;
    }

    public static bool DisallowsSameSiteNone(string userAgent) => userAgent.Contains("CPU iPhone OS 12") || userAgent.Contains("iPad; CPU OS 12") || userAgent.Contains("Macintosh; Intel Mac OS X 10_14") && userAgent.Contains("Version/") && userAgent.Contains("Safari") || userAgent.Contains("Chrome/5") || userAgent.Contains("Chrome/6");
  }

Source: https://github.com/skoruba/IdentityServer4.Admin/blob/f993f64a14c08d6c00b2109dfda9b1b5a299282e/src/Skoruba.IdentityServer4.STS.Identity/Helpers/StartupHelpers.cs#L284