Why is identity null when using .net core 2 AuthorizationHandler in iframe

Question

I have the following AuthorizationRequirement and AuthorizationHandler that is registered with DI and is working just fine. However, when an action with [Authorize(Policy = "ConfirmedEmail")] is called within an iframe (same origin), context.User.Identity.Name is allways NULL and therefore so is user . Does anyone have any idea why this is, and more importantly how to fix it?

When the exact same action is called directly (outside an iframe), context.User.Identity.Name is correct and the user lookup succeeds.

public class ConfirmedEmailRequirement : IAuthorizationRequirement { }

    public class ConfirmedEmailHandler : AuthorizationHandler<ConfirmedEmailRequirement>
    {
        private readonly UserManager<User> _userManager;

        public ConfirmedEmailHandler(UserManager<User> userManager)
        {
            _userManager = userManager;
        }

        protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, ConfirmedEmailRequirement requirement)
        {
            var user = await _userManager.GetUserAsync(context.User);
            if (user?.EmailConfirmed == true)
            {
                context.Succeed(requirement);
            }
            else
            {
                context.Fail();
            }
        }
    }

UPDATE : I have noticed that although both iframe and non iframe request have the same session cookie, the non iframe request includes a Core.Identity.Application cookie, the iframe request does not. I don't know the significance of this or what is causing it.

Answer 1

I finally managed to get identity to work within an iframe using the following:

services.ConfigureApplicationCookie(options => {
    options.Cookie.Name = "MyAuthCookie";
    options.Cookie.SameSite = SameSiteMode.None; //<THIS!!!
});

Hope this saves someone a lot of head scratching some day.