search

aspnet-contrib / AspNet.Security.OAuth.Providers

OAuth 2.0 social authentication providers for ASP.NET Core
Apache License 2.0
2.38k stars 538 forks source link

Correlation failed. Unknown location in Strava library #483

Closed irwinwilliams closed 3 years ago

irwinwilliams commented 4 years ago

Describe the bug Attempting to authenticate with Strava. I'm using this code:

//Configure in Startup.cs
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
            }
            // Required to serve files with no extension in the .well-known folder
            var options = new StaticFileOptions()
            {
                ServeUnknownFileTypes = true,
            };

            app.UseDefaultFiles()
                .UseStaticFiles(options)
                .UseWebSockets()
                .UseRouting()
                .UseAuthentication()
                .UseAuthorization()
                .UseEndpoints(endpoints =>
                {
                    endpoints.MapControllers();
                    endpoints.MapDefaultControllerRoute();
                });
        }

And this code in ConfigureServices:

services.AddAuthentication(options =>
            {
                // If an authentication cookie is present, use it to get authentication information
                options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;

                // If authentication is required, and no cookie is present, use Okta (configured below) to sign in
                options.DefaultChallengeScheme = "Strava";
            })
            .AddCookie() // cookie authentication middleware first
            .AddStrava("Strava", options =>
            {
                options.ClientId = Configuration.GetValue<string>("Strava:ClientId");
                options.ClientSecret = Configuration.GetValue<string>("Strava:ClientSecret");
                options.Scope.Add("activity:write");
                options.Scope.Add("activity:read");
                options.Scope.Add("read");
            });

When I attempt to access my route that needs authorization, it yields this error:

An unhandled exception occurred while processing the request. Exception: Correlation failed. Unknown location

Exception: An error was encountered while handling the remote login. Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler.HandleRequestAsync()

Steps To reproduce Attempting to access a route that has the [Authorize] attribute on it.

Expected behaviour Authentication prompt from strava

Actual behavior Produced error listed below:

An unhandled exception occurred while processing the request. Exception: Correlation failed. Unknown location

Exception: An error was encountered while handling the remote login. Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler.HandleRequestAsync()

System information: .NET Core SDK (reflecting any global.json): Version: 3.1.302 Commit: 41faccf259

Runtime Environment: OS Name: Windows OS Version: 10.0.14393 OS Platform: Windows RID: win10-x86 Base Path: D:\Program Files (x86)\dotnet\sdk\3.1.302\

Host (useful for support): Version: 3.1.8 Commit: 9c1330dedd

irwinwilliams commented 4 years ago

Still investigating, but realized that by Strava's use of OAuthHandler, it might make sense to look into the exception based on dotnet core's implementation. I found this link, https://docs.microsoft.com/en-us/dotnet/core/compatibility/aspnetcore, that describes some breaking changes related to SameSite cookies.

New behavior Google proposed a new draft standard that isn't backwards compatible. The standard changes the default mode to Lax and adds a new entry None to opt out. Lax suffices for most app cookies; however, it breaks cross-site scenarios like OpenID Connect and WS-Federation login. Most OAuth logins aren't affected because of differences in how the request flows. The new None parameter causes compatibility problems with clients that implemented the prior draft standard (for example, iOS 12). Chrome 80 will include the changes. See SameSite Updates for the Chrome product launch timeline.

ASP.NET Core 3.1 has been updated to implement the new SameSite behavior. The update redefines the behavior of SameSiteMode.None to emit SameSite=None and adds a new value SameSiteMode.Unspecified to omit the SameSite attribute. All cookie APIs now default to Unspecified, though some components that use cookies set values more specific to their scenarios such as the OpenID Connect correlation and nonce cookies.

For other recent changes in this area, see HTTP: Some cookie SameSite defaults changed to None. In ASP.NET Core 3.0, most defaults were changed from SameSiteMode.Lax to SameSiteMode.None (but still using the prior standard).

Therefore, I checked Edge, and I seemed to get to where I needed. I don't know what to do yet to make it work on Chrome. But this is progress.

martincostello commented 4 years ago

Sounds like SameSite cookies.

You can read more information about it here: https://devblogs.microsoft.com/aspnet/upcoming-samesite-cookie-changes-in-asp-net-and-asp-net-core/

irwinwilliams commented 3 years ago

Hello Future Irwin (or other developer stumbling upon exactly how you resolved this issue), You did this:

  1. Created this method (in the Startup class): private void SetSameSite(HttpContext httpContext, CookieOptions options) {

        if (options.SameSite == SameSiteMode.None)
    {
        options.SameSite = SameSiteMode.Unspecified;
    }
}

  2. Added this code to ConfigureServices:

services.Configure<CookiePolicyOptions>(options =>
            {
                options.MinimumSameSitePolicy = SameSiteMode.Unspecified;
                options.OnAppendCookie = cookieContext =>
                    SetSameSite(cookieContext.Context, cookieContext.CookieOptions);
                options.OnDeleteCookie = cookieContext =>
                    SetSameSite(cookieContext.Context, cookieContext.CookieOptions);
            });
  1. Added this code in the Configure method:

app.UseCookiePolicy(); And you were able to move forward. Also, do more reading on the SameSite policy work.

Cheers!

Mike-E-angelo commented 1 year ago

Pardon resurrecting an old thread here, but I am getting Correlation Failed pretty consistently on iPhone/iOS devices. The code that I see in this URL is for iOS 12 and the user agent I am seeing the failure is iOS 16. Doing searches is not returning anything obvious so asking here as the failures are occurring in the Twitter v2 and Reddit packages from this repo :) Thank you for any guidance you can provide. 🙏