Duende Sofware Backend for Frontend cookie not found on Firefox
I use Duende Software and Backend for Frontend Pattern,
All is well on local with Edge / Chrome / Firefox,
When I deploy my solutions to my server, all is well on Edge / Chrome but for Firefox (111.0 (64 bits)) I have this exception :
System.Exception: An error was encountered while handling the remote login.
---> System.Exception: Correlation failed.
--- End of inner exception stack trace ---
at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
In the logs, I see it's because I have no cookie :
.AspNetCore.Correlation.1GVEGnaW7Z81J1EaVhD_zICu3gQNfSktAd9fhpH1tfg' cookie not found.
The cookie seems to disapear on Firefox.
Here my Program.cs code from my client solution (in fact it's based on the sample from Duende Sofware Github Quickstarts JS with backend) :
using System.IdentityModel.Tokens.Jwt;
using System.Security.Claims;
using Duende.Bff.Yarp;
using JavaScriptClient;
using Microsoft.AspNetCore.Authorization;
using Serilog;
var builder = WebApplication.CreateBuilder(args);
JwtSecurityTokenHandler.DefaultMapInboundClaims = false;
builder.Services.AddAuthorization();
builder.Services
.AddBff()
.AddRemoteApis();
builder.Services
.AddAuthentication(options =>
{
options.DefaultScheme = "Cookies";
options.DefaultChallengeScheme = "oidc";
options.DefaultSignOutScheme = "oidc";
})
.AddCookie("Cookies")
.AddOpenIdConnect("oidc", options =>
{
options.Authority = "https://myIdentityProvider.com";
options.ClientId = "MyCliendId";
options.ClientSecret = "MySecret";
options.ResponseType = "code";
options.ResponseMode = "query";
options.Scope.Add("MyScope");
});
var app = builder.Build();
if (app.Environment.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseDefaultFiles();
app.UseStaticFiles();
app.UseRouting();
app.UseAuthentication();
app.UseBff();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapBffManagementEndpoints();
// Uncomment this for Controller support
//endpoints.MapControllers()
// .AsBffApiEndpoint();
//
endpoints.MapGet("/local/identity", LocalIdentityHandler)
.AsBffApiEndpoint();
endpoints.MapRemoteBffApiEndpoint("/remote", "https://localhost:6001")
.RequireAccessToken(Duende.Bff.TokenType.User);
});
app.Run();
[Authorize]
static IResult LocalIdentityHandler(ClaimsPrincipal user, HttpContext context)
{
var name = user.FindFirst("name")?.Value ?? user.FindFirst("sub")?.Value;
return Results.Json(new { message = "Local API Success!", user = name });
}
Developer Tools Firefox when redirecting to the client
An example of the URL : https://dev-XXXXXX/signin-oidc?code=88DC10688209D96A964BEC3C5C0E935B375F44E6D6311EC6D04ACFF47C4091CC-1&scope=openid%20profile%20MyScope&state=CfDJ8ESufyjmGeFBgfz5grcuHwKuuygHk3CR2e9tfyvMv_nl8txvzjV1JKDobk3vHAQvheQcvM4luZc4h8gEkWjt-w-EsSBn1AE6fXj3JNtUUY2jwTdLIgexUTdqpIOqGHmQGpr5sHrJC4t_86Af2SFDKqy1sqUPj3Z60VWHS4VLsz0T86TfgSChhyDPZND4XPJ-gCq5oPAeLfzUP37He9atgsdUGCYWuPjLSiWCOfthmIPvwWL4JWzFb_kmfnQRO9aZbjWAEA7m6pFDAZedJbIfLaRmEN09Ukjs9H6RkzSbw8_KGQ9rOpOo2A0LRX5ErN517Ktj8y5QTChXHi2ckwZcUqfs8IGjN_txOq3oZyLCg8kXAFRXGdNEfdEksvR9UQbYGbO3xvZKLuDYFgJwXvwF9bs&session_state=R1sXE2TDTqckzL1VNU9SOkPPUP-U2uJf4amKEWQPTQE.A8F7AA6340E886AC794E6C8011425C18&iss=https%3A%2F%2FmyIdentityProvider.com%3A820
EDIT : Actually, my server time was 2 hours behind, so the cookie was already expired, it didn't bother Edge or Chrome but Firefox removed the cookie.
You need to use HTTPS, because otherwise, important cookies will be blocked due to the samesite attribute we set on cookies nowadays.
In Firefox, to see why Cookies are rejected:
- Open the Browser Developer Tools (F12)
- Select the Console tab, and in the console, you should see the reasoning why the cookies were rejected
To complement this answer, I wrote a blog post that goes into more detail about this topic: Debugging cookie problems