Google Auth Issues After Upgrading from 4.0.1 to 4.1.0 (SameSite Related?)

[nicholashead]

Hi! A little background - we call UseGoogleAuthentication() on our app, and our local test environment uses IISExpress (without HTTPS) for testing. Prior to upgrading to 4.1.0, I could log into Google just fine for my app. After upgrading, I am now getting my callback URL with a &error=access_denied querystring param. Based on my research, this may be related to SameSite changes - and looking at Chrome's debugger, I see a warning about the response headers:

Set-Cookie: .AspNet.Correlation.Google=(guid); path=/; HttpOnly; SameSite=None Warning: This set-cookie had the "SameSite=None" attribute but did not have the "Secure" attribute, which is required in order to use "SameSite=None".

I found https://docs.microsoft.com/en-us/aspnet/samesite/owin-samesite and this led me to believe that perhaps this issue is SameSite related.

Am I on the right path diagnosing this? Will I maybe just need to upgrade our development environment to be all-HTTPS instead?

Any help/guidance would be appreciated on this, and I'm sharing in the hope that I'm not alone in encountering the gotcha. Thank you!

[Tratcher]

Yeah, all auth needs to happen over https now. https://github.com/aspnet/AspNetKatana/blob/e001fcf245ba4b6b2eb09ef410d398527882dc1a/src/Microsoft.Owin.Security/Infrastructure/AuthenticationHandler.cs#L216-L221

[nicholashead]

@Tratcher thanks for your time and reply. That's what I was afraid of. Hopefully this will help someone else.