Closed irwinwilliams closed 3 years ago
Still investigating, but realized that by Strava's use of OAuthHandler, it might make sense to look into the exception based on dotnet core's implementation. I found this link, https://docs.microsoft.com/en-us/dotnet/core/compatibility/aspnetcore, that describes some breaking changes related to SameSite cookies.
New behavior Google proposed a new draft standard that isn't backwards compatible. The standard changes the default mode to Lax and adds a new entry None to opt out. Lax suffices for most app cookies; however, it breaks cross-site scenarios like OpenID Connect and WS-Federation login. Most OAuth logins aren't affected because of differences in how the request flows. The new None parameter causes compatibility problems with clients that implemented the prior draft standard (for example, iOS 12). Chrome 80 will include the changes. See SameSite Updates for the Chrome product launch timeline.
ASP.NET Core 3.1 has been updated to implement the new SameSite behavior. The update redefines the behavior of SameSiteMode.None to emit SameSite=None and adds a new value SameSiteMode.Unspecified to omit the SameSite attribute. All cookie APIs now default to Unspecified, though some components that use cookies set values more specific to their scenarios such as the OpenID Connect correlation and nonce cookies.
For other recent changes in this area, see HTTP: Some cookie SameSite defaults changed to None. In ASP.NET Core 3.0, most defaults were changed from SameSiteMode.Lax to SameSiteMode.None (but still using the prior standard).
Therefore, I checked Edge, and I seemed to get to where I needed. I don't know what to do yet to make it work on Chrome. But this is progress.
Sounds like SameSite cookies.
You can read more information about it here: https://devblogs.microsoft.com/aspnet/upcoming-samesite-cookie-changes-in-asp-net-and-asp-net-core/
Hello Future Irwin (or other developer stumbling upon exactly how you resolved this issue), You did this:
Created this method (in the Startup class): private void SetSameSite(HttpContext httpContext, CookieOptions options) {
if (options.SameSite == SameSiteMode.None)
{
options.SameSite = SameSiteMode.Unspecified;
}
}
Added this code to ConfigureServices:
services.Configure<CookiePolicyOptions>(options =>
{
options.MinimumSameSitePolicy = SameSiteMode.Unspecified;
options.OnAppendCookie = cookieContext =>
SetSameSite(cookieContext.Context, cookieContext.CookieOptions);
options.OnDeleteCookie = cookieContext =>
SetSameSite(cookieContext.Context, cookieContext.CookieOptions);
});
app.UseCookiePolicy();
And you were able to move forward. Also, do more reading on the SameSite policy work.
Cheers!
Pardon resurrecting an old thread here, but I am getting Correlation Failed pretty consistently on iPhone/iOS devices. The code that I see in this URL is for iOS 12 and the user agent I am seeing the failure is iOS 16. Doing searches is not returning anything obvious so asking here as the failures are occurring in the Twitter v2 and Reddit packages from this repo :) Thank you for any guidance you can provide. 🙏
Describe the bug Attempting to authenticate with Strava. I'm using this code:
And this code in ConfigureServices:
When I attempt to access my route that needs authorization, it yields this error:
Steps To reproduce Attempting to access a route that has the [Authorize] attribute on it.
Expected behaviour Authentication prompt from strava
Actual behavior Produced error listed below:
System information: .NET Core SDK (reflecting any global.json): Version: 3.1.302 Commit: 41faccf259
Runtime Environment: OS Name: Windows OS Version: 10.0.14393 OS Platform: Windows RID: win10-x86 Base Path: D:\Program Files (x86)\dotnet\sdk\3.1.302\
Host (useful for support): Version: 3.1.8 Commit: 9c1330dedd