What could cause a correlation cookie to not be returned on specific devices

Asked 12/12, 2019 at 18:5 Answered 13/3, 2020 at 10:1

Solved asp.net-core identityserver4 google-openid

We have some users who cannot connect to our platform via Google. When this happens, it's always for a specific device, but with the information we have so far, it's not all the same device kind (to be confirmed).

We're using ASP.NET Core (and Identity Server 4).

The error on our side is that upon returning from the oauth flow, the correlation cookie set by ASP.NET identity is gone. We have verified that it's well set at the beginning, and is valid. It's not an issue about data protection (we do have this in place). We can reproduce on two iPads with iOS 12, no matter which account we try to connect with. All those accounts can connect on other devices, including iPads with iOS 13.

So we're trying to isolate what could make those specific devices fail. Also, it seems this only started to happen recently, and we can't identify what change could have triggered this on our side.

Update 1

Updating an iPad from iOS 12 to iOS 13 solves the issue.

Mosesmosey answered 12/12, 2019 at 18:5 Comment(1)

How does the client code look like? Is it javascript from a webpage that you open using the iPad's browser? If so, what browser is being used? – Jupiter 13/12, 2019 at 2:59

On 2019/11/19, .NET Core v2.2.8 was released. This version includes this change, which mentions in the patch notes:

Risk: Medium. The SameSite changes are known to be incompatible with older OSs and browsers, especially iOS 12 and OSX Mojave (latest - 1). These represent a small but influential portion of the web client user base. Updating to the latest OS version addresses the incompatibility.

Since our Docker images are based on mcr.microsoft.com/dotnet/core/aspnet:2.2, an irrelevant update which happened on Dec. 3rd pushed that update to our servers.

This blog post explains the situation in more details, but in short:

Chrome v80 will start defaulting to Lax when a set-cookie does not specify a SameSite value, instead of defaulting to None
When setting a cookie's SameSite=None, ASP.NET Core was not sending the SameSite value to set-cookie, assuming that browsers default to None
Starting with v2.2.8, ASP.NET Core is always sending SameSite=None
Safari on iOS 12 and macOS 10.14 Mojave treat SameSite=None as SameSite=Strict (see this webkit bug for details)
Therefore, our correlation cookie is treated as strict on those OSes, which means that they are not sent back as intended.

Though we could revert to 2.2.7, the upcoming Chrome update (80) would stop working. Fortunately, this article clearly states the proper course of action: we need to implement user agent sniffing and not send the SameSite=None to user agents which do not support it. This comment mentions suggested user agents to filter, which looks good.

Mosesmosey answered 13/12, 2019 at 15:49 Comment(0)

Maybe you can use this code in AddOpenIdConnect("").

If you use .net core > 2.*

options.NonceCookie.SameSite = (SameSiteMode) (-1); 
options.CorrelationCookie.SameSite = (SameSiteMode) (-1);

If you use .net > 3.*

options.NonceCookie.SameSite = SameSiteMode.Unspecified;
options.CorrelationCookie.SameSite = SameSiteMode.Unspecified;

Pleione answered 13/3, 2020 at 10:1 Comment(0)