OWIN 4.1, Azure AD openID chrome issue

Question

I am having an issue where I am using Owin, and recently updated to 4.1 of the middleware. I decided to upgrade to the later version because on the redirection loop.

All worked fine on our test environment in all browsers.

I then deployed to production and got errors in chrome on return from https://login.microsoft.com IDX21323: RequireNonce is %27[PII is hidden]%27. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don%27t need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to %27false%27. Note if a %27nonce%27 is found it will be evaluated.

I also noticed in the chrome console the below message: Cross-Origin Read Blocking (CORB) blocked cross-origin response https://login.microsoftonline.com/common... .

When in chrome i go to Chrome://flags and disable "Cookies without SameSite must be secure" all works fine.

In my production setup i have an Azure Application gateway sitting in front of the IIS box. At the application gateway it is currently offloading the SSL and dropping back to HTTP as it is a private network there after. Is this likely to be the issue? Obviously i can configure to take SSL all the way through but not sure that would fix the issue.

any suggestions would be gratefully received. I am running Webform on .net framework 4.7.2

I am tearing my hear out as it works in all other browsers and works on Chrome in our test environment so i was thinking the only thing it could be is the SSL being offloaded at the gateway, but that being said i would have thought that would have caused an issue in the firefox/edge, which it doesnt. And to be hoenst as far as chrome is concerned it is all over HTTPS.

Owin setup looks like below but have also tried a heap of different things.

                app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);
                app.UseCookieAuthentication(new CookieAuthenticationOptions
                {
                    CookieSameSite = SameSiteMode.None,
                    CookieManager = new SameSiteCookieManager(new SystemWebCookieManager())

                }) ;
                app.UseOpenIdConnectAuthentication(
                    new OpenIdConnectAuthenticationOptions
                    {
                        ClientId = azureClientId,
                        Authority = azureAuthority,
                        RedirectUri = azureRedirectUrl,
                        PostLogoutRedirectUri = azurePostLogoutUrl,
                        Scope = OpenIdConnectScope.OpenIdProfile,
                        ResponseType = OpenIdConnectResponseType.IdToken,
                        TokenValidationParameters = new TokenValidationParameters()
                        {
                            ValidateIssuer = true,
                            IssuerValidator = ValidateIssuerWithPlaceholder
                        },
                        Notifications = new OpenIdConnectAuthenticationNotifications
                        {
                            AuthenticationFailed = OnAuthenticationFailed
                        }
                    }
                );

Answer 1

That behavior caused by the new SameSite cookie policy that restricts browsers from sending cookies. In your case Nonce cookie is stripped from Azure request when redirecting to your site. You can avoid that by applying the None value for the SameSite cookie attribute and add the Secure attribute for newer browsers that supports new SameSite changes or leave SameSite empty for older browsers. Here is detailed article on how you can implement it on .Net Core and .Net Framework with Owin:

Upcoming SameSite Cookie Changes in ASP.NET and ASP.NET Core