Second Facebook or Google sign in returns to /account/login after iOS 12 upgrade

[eriksendc]

NOTE: See my second comment on this issue. This isn't just an issue with my app (getyourpet.com). It can be reproduced with a "File New Project" web app. Someone needs to tell Apple what they broke fast!

Hi All,

I upgraded my iPhone 6s to iOS 12.0 yesterday (I was on 11.x), and I found that after the upgrade I couldn't sign in to getyourpet.com (my production site) using the Facebook button on the sign in page (/account/login) when using the Safari app. Tapping the Facebook button displayed the spinner on that button for a brief moment, but then you're just back at /account/login (though some amount of redirecting seemed to be happening behind the scenes). That led me to do a lot of experimenting. Here are some other findings:

1. I had a colleague who was still on iOS 11x try signing in with Facebook. She could sign in over and over using Facebook without any issue. I then had her upgrade to iOS 12 and now both of our experiences are identical. Tapping the Facebook button displays the spinner, there's some redirecting going on, but when the spinner stops spinning you're at /account/login.

2. Signing in with Facebook or Google on Chrome, Firefox, Edge and Opera are fine on my laptop.

3. I tried signing in with the Google Chrome and Firefox apps. In both cases the behavior was the same as with Safari. I'm just back at /account/login.

4. If I clear browser history and cookies for any of the browser apps, then signing with Facebook or Google works once. You're redirected to either the Facebook or Google authentication pages, then you're redirected back to getyourpet.com and you're signed in. But if you sign out and try signing in again, you're back at 3: tapping Facebook or Google the second time after clearing history and cookies you're just left at /account/signin.

5. If I sign in using email / password then go and manage my login providers (on getyourpet.com this is in the user menu as Sign In With...) and then select to enable signing in with Facebook or Google on an account, if I've just cleared browser cache / cookies, then the user is brought to Facebook or Google to authenticate, and returned to getyourpet.com's Sign In With... page successfully. If you try enabling signing in with Facebook or Google and there's already a cookie, then you're signed out!

6. I've reproduce this in all of our environments (local development on my laptop and in our QA environment).

I'm trying to dig up another iPhone to reproduce this on. I won't have this until later tonight, but I did feel this is such a potentially giant issue that I thought I'd raise it quickly. Unfortunately I'm not a mobile developer, and don't have any clue as to how to get started with using some kind of tool like Fiddler to watch the traffic to/from the browser apps on my phone.

Anyways, it seems like once there is an authentication cookie, somehow that's not correctly being sent to getyourpet.com?

I'm sure this is the kind of issue where it's like "oh boy, this probably isn't even real, and there's not enough to go on". If there are things I can provide that would make further investigation possible let me know.

We're running a fairly basic ASP.NET web app that's been migrated all the way from pre-1.0 through to the latest version of 2.1 (2.1.4). I've included the relevant parts of our project file below. We run on servers running Windows 2012 R2 with the latest patches, and we run using IIS 8.5 (not native kestrel). Nothing has changed in our environment for over a week. The variable seems to be iOS 12.

I know y'all don't own iOS 12, but if there was some way of knowing what's going on then there would be something concrete that could be sent to Apple. I'm afraid it's going to be a lot of trouble for a lot of sites like getyourpet.com as folks upgrade to iOS 12.

-Brian Eriksen

PackageReference Include="angularjs" Version="1.4.7" 
PackageReference Include="AngularJS.Messages" Version="1.4.8" 
PackageReference Include="bootstrap" Version="3.3.5" 
PackageReference Include="System.IO.Pipelines" Version="4.5.1" 
PackageReference Include="EntityFramework" Version="6.2.0" 
PackageReference Include="Microsoft.EntityFrameworkCore.Design" Version="2.1.3" PrivateAssets="All" 
PackageReference Include="Microsoft.EntityFrameworkCore.SqlServer" Version="2.1.3" 
PackageReference Include="Microsoft.EntityFrameworkCore.Tools" Version="2.1.3" PrivateAssets="All" 
PackageReference Include="KendoUICore" Version="2015.3.1111" 
PackageReference Include="Microsoft.AspNetCore.Antiforgery" Version="2.1.1" 
PackageReference Include="Microsoft.AspNetCore.Authentication.Cookies" Version="2.1.2" 
PackageReference Include="Microsoft.AspNetCore.Authentication.Facebook" Version="2.1.2" 
PackageReference Include="Microsoft.AspNetCore.Authentication.Google" Version="2.1.2" 
PackageReference Include="Microsoft.AspNetCore.Authentication.MicrosoftAccount" Version="2.1.2" 
PackageReference Include="Microsoft.AspNetCore.Authentication.Twitter" Version="2.1.2" 
PackageReference Include="Microsoft.AspNetCore.Diagnostics" Version="2.1.1" 
PackageReference Include="Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore" Version="2.1.1" 
PackageReference Include="Microsoft.AspNetCore.Identity.EntityFrameworkCore" Version="2.1.3" 
PackageReference Include="Microsoft.AspNetCore.Server.IISIntegration" Version="2.1.1" 
PackageReference Include="Microsoft.AspNetCore.Mvc" Version="2.1.2" 
PackageReference Include="Microsoft.AspNetCore.Mvc.TagHelpers" Version="2.1.2" 
PackageReference Include="Microsoft.AspNetCore.Server.Kestrel" Version="2.1.3" 
PackageReference Include="Microsoft.AspNetCore.StaticFiles" Version="2.1.1" 
PackageReference Include="Microsoft.AspNetCore.Routing" Version="2.1.1" 
PackageReference Include="Microsoft.Extensions.Caching.Abstractions" Version="2.1.2" 
PackageReference Include="Microsoft.Extensions.Caching.Memory" Version="2.1.2" 
PackageReference Include="Microsoft.Extensions.Configuration.FileExtensions" Version="2.1.1" 
PackageReference Include="Microsoft.Extensions.Configuration.EnvironmentVariables" Version="2.1.1" 
PackageReference Include="Microsoft.Extensions.Configuration.Json" Version="2.1.1" 
PackageReference Include="Microsoft.Extensions.Configuration.UserSecrets" Version="2.1.1" 
PackageReference Include="Microsoft.Extensions.Logging" Version="2.1.1" 
PackageReference Include="Microsoft.Extensions.Logging.Configuration" Version="2.1.1" 
PackageReference Include="Microsoft.Extensions.Logging.Console" Version="2.1.1" 
PackageReference Include="Microsoft.Extensions.Logging.Debug" Version="2.1.1" 
PackageReference Include="Microsoft.Extensions.PlatformAbstractions" Version="1.1.0" 
PackageReference Include="Microsoft.VisualStudio.Web.BrowserLink" Version="2.1.1" 
PackageReference Include="Microsoft.VisualStudio.Web.CodeGeneration.Design" Version="2.1.4" PrivateAssets="All" 
PackageReference Include="Sendgrid" Version="9.9.0" 
PackageReference Include="Twilio" Version="5.16.4" 
PackageReference Include="NLog.Web.AspNetCore" Version="4.6.0" 
PackageReference Include="NLog.Extensions.Logging" Version="1.2.1" 
PackageReference Include="NLog" Version="4.5.9" 
PackageReference Include="Hangfire" Version="1.6.20" 
PackageReference Include="Hangfire.AspNetCore" Version="1.6.20" 
PackageReference Include="Microsoft.SqlServer.Types" Version="14.0.314.76" 
PackageReference Include="Microsoft.AspNetCore.Http.Features" Version="2.1.1" 
PackageReference Include="Microsoft.Extensions.Options.ConfigurationExtensions" Version="2.1.1" 
PackageReference Include="MaxMind.GeoIP2" Version="3.0.0" 
PackageReference Include="Microsoft.AspNetCore.Owin" Version="2.1.1" 
PackageReference Include="Microsoft.AspNet.SignalR.Owin" Version="1.2.2" 
PackageReference Include="Microsoft.AspNet.SignalR" Version="2.3.0" 
PackageReference Include="Microsoft.AspNet.SignalR.Redis" Version="2.3.0" 
PackageReference Include="LinqKit.Microsoft.EntityFrameworkCore" Version="1.1.15" 
PackageReference Include="Microsoft.AspNetCore.Mvc.Razor.ViewCompilation" Version="2.1.1" PrivateAssets="All" 

[eriksendc]

Since submitting my original issue yesterday I tested this and proved that this is an issue with the "File New" experience. If you create a new ASP.NET MVC app and enable Facebook, I'm getting the exact same results... desktop / laptop is fine, but signing in with the Facebook button from /Identity/Account/Login doesn't work. The versions of things from my "File New" test and the updated startup.cs code to enable Facebook is below.

    public void ConfigureServices(IServiceCollection services)
    {
        services.Configure<CookiePolicyOptions>(options =>
        {
            // This lambda determines whether user consent for non-essential cookies is needed for a given request.
            options.CheckConsentNeeded = context => true;
            options.MinimumSameSitePolicy = SameSiteMode.None;
        });

        services.AddDbContext<ApplicationDbContext>(options =>
            options.UseSqlServer(
                Configuration.GetConnectionString("DefaultConnection")));
        services.AddDefaultIdentity<IdentityUser>()
            .AddRoles<IdentityRole>()
            .AddEntityFrameworkStores<ApplicationDbContext>()
            .AddDefaultTokenProviders();

        services.AddAuthentication()
            .AddFacebook(options =>
            {
                options.AppId = Configuration["Authentication:Facebook:AppId"];
                options.AppSecret = Configuration["Authentication:Facebook:AppSecret"];
            });

        services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
    }

PackageReference Include="Microsoft.AspNetCore" Version="2.1.3" 
PackageReference Include="Microsoft.AspNetCore.Authentication.Cookies" Version="2.1.2" 
PackageReference Include="Microsoft.AspNetCore.Authentication.Facebook" Version="2.1.2" 
PackageReference Include="Microsoft.AspNetCore.CookiePolicy" Version="2.1.2" 
PackageReference Include="Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore" Version="2.1.1" 
PackageReference Include="Microsoft.AspNetCore.HttpsPolicy" Version="2.1.1"/>
PackageReference Include="Microsoft.AspNetCore.Identity.UI" Version="2.1.3" 
PackageReference Include="Microsoft.AspNetCore.Identity.EntityFrameworkCore" Version="2.1.3" 
PackageReference Include="Microsoft.AspNetCore.Mvc" Version="2.1.2" 
PackageReference Include="Microsoft.AspNetCore.StaticFiles" Version="2.1.1" 
PackageReference Include="Microsoft.EntityFrameworkCore.SqlServer" Version="2.1.3" 
PackageReference Include="Microsoft.EntityFrameworkCore.Tools" Version="2.1.3" PrivateAssets="All" 
PackageReference Include="Microsoft.VisualStudio.Web.CodeGeneration.Design" Version="2.1.4" PrivateAssets="All" 

[blowdart]

Is this in Safari? I wonder if it's to do with samesite cookies. Safari's handling of those has been somewhat, umm, interesting.

Could you try the following?

        services.AddAuthentication()
            .Services.ConfigureApplicationCookie(o =>
        {
            o.Cookie = new CookieBuilder
            {
                SameSite = SameSiteMode.Lax,
            };
        });

[eriksendc]

Hi @blowdart ,

This is happening in iOS 12 using any browser app (Safari, Chrome, Firefox are the ones I've tried so far).

When I went to try your suggestion, when the intellisense kicked in I saw this. Note the help states that SameSiteMode.Lax is the default. I'm still going to try it but wanted to give you this feedback as quickly as possible.

Our help desk gets the user agent of each help request we receive. So far, since I first reported this, there's an uptick in issues with Facebook and Google sign in issue help requests, and every one of them that's been reported shows that the user is on iOS 12. I believe we're on the front edge of folks accepting to upgrade to iOS 12. It wasn't "pushed as hard". There wasn't the normal "red dot" showing up for the Settings app that draws your attention to it. Apple purposefully doesn't push hard on major upgrades like going from 11.x to 12. But people are slowly discovering it and upgrading. I fear there is going to be a big issue for all ASP.NET Core web apps if this isn't taken seriously really soon.

[eriksendc]

@blowdart PS - you didn't show the .AddFacebook() and .AddGoogle() in your code that you suggested to try. I'm adding that at the end. Should it be at the end or before .AddFacebook(), or does that even matter?

Thanks! Brian Eriksen, CTO, GetYourPet.com

[eriksendc]

@blowdart No change in behavior after incorporating your suggestion. Tested on Safari, Google and Firefox apps in iOS 12.

[blowdart]

The order doesn't matter. OK let's try SameSite.None, and turn all the security off cry

[eriksendc]

@blowdart No change in behavior after switching to SameSiteMode.None. Tested on Safari, Google and Firefox apps in iOS 12.

[blowdart]

Darn. OK, @HaoK @Tratcher can you please take a look?

[Tratcher]

We just went through this on another thread and it was SameSite broken on iOS 12. The trick is figuring out which cookie is affected. A Fiddler trace is your best bet. I know you can't do that from iOS, but a trace using your desktop browser should give enough of the same data to identify the cookie even if you don't experience the issue there.

[eriksendc]

Hi @Tratcher. In @blowdart 's initial suggestion he'd suggested chaining in .Services.ConfigureApplicationCookie() to set SameSite for the cookie. I tried that and it didn't change anything. Reading the other thread I thought I understood that setting SameSite = SameSiteMode.None for the external cookie would do the trick. I just tried that, and still no luck. Then there's something about making your own cookie or scheme or something. Anyways, if there is a workaround I'd like to try it but I'm sorry but I'm just not getting what I should be doing. Below is the code that I've most recently tried. Note that in my case I'm not using Identity Server... I don't have an Identity Server instance... just a plain old app with local (email / password) and external authentication.

[eriksendc]

PS @Tratcher I'm not exactly sure what you were asking about in getting a fiddler trace. What exactly are you looking for? Oh, and my problem, and the problem I can recreate with File --> New Project, isn't just a problem with Safari. It's Safari, Chrome and Firefox on iOS 12. There must be some underlying library that is in the OS that all browser apps are dependent on that has broken this.

[Tratcher]

Fiddler is a really useful HTTP debugging tool to capture your traffic. Facebook and Google aren't in the template, I'd want to see the trace that included any modifications you've made.

On iOS all browsers are forced to use the same stack underneath. Only the UI ends up being different.

[eriksendc]

Hi @Tratcher , yeah I think I used Fiddler back when it first came out... and over the years... but not an expert. I believe I have a trace but I've got these options when I export. Is there one of them that you'd prefer?

[Tratcher]

Save As a .saz file (as opposed to Exporting).

[eriksendc]

Hi @Tratcher Sorry for the radio silence. Had other fires to put out. Here's a link to the .saz file you asked for: https://drive.google.com/open?id=1LK-G1ypS0mlT1aD37k9X91gxkptz2rPn

Please note, I'm not fiddleriffic. If there's something I've not provided let me know.

That being said:

1. Given this issue can be reproduced with "File --> New Project", is there someone at Microsoft that can try reproducing? For reference, the project that I created with "File --> New Project" can be found here: https://drive.google.com/open?id=1TyP-NFb50M7lLi951Ah0j8y2O26Q7Y2W

2. If you or anyone else wants to do some fiddlering yourself / themselves, feel free to try and register at https://getyourpet.com/account/register with the Facebook or Google buttons. Then you can test signing in and fiddlering on your own.

[Tratcher]

Yup, there it is. Your request to /signin-facebook returns the following cookie with SameSite enabled: Set-Cookie: Identity.External=CfDJ8Elg8Qw3o45IkiKXhK_kwNnfMBLXzAsSfq-sY5-ZfjbllFMM_lTPk5I0dmWb3r8GdnhfuXSiIJqiA5ChL_WHcXTqsCulyoIhVFUJy2Oy07Q-1d7ljgUEgBOwzeNLHINojoMeL6wT8HISrbRpzp3cMm_LABTe5fLp4Vbt5ae13m8lI6_GkKb9w-wAR2PVXT0u_RtVzTBJ-lEcsXy2_dhS5a-TaZOiZMPQYvx7cOIxjXvf4x9visz3TOtF96I98f4mLqNBZ4xhZGmcOOe6oSjqynsqR4ZvIK9fRwbo8CF8yiL9B44UmxFqstky5IDdvuM_Is2faeDU1RNB4u35At9ElrJrjbijybVAAhoK4H-wnFbBQ6F7z64F7Z7PpcJFMFgM4v2tuYW4tp1lm5VUYwdtz_t1x89OBKpRcygwifyN5rHv7UJzB4OQjZ8v3IQiRd7qNl8rF1PdplaLjGmLO7YLSKyi4khccqjqofJ0fQ7-35npcw_v456P54P4KRzL0llxj42PBVm1Jnq25m7KOxF96iCvScJplHz2K6TOH1x2R3m6Utc_y0RE20wEGum0jB32UskHDI7vMhN-PDwBP7Je2WM4EhC1Q5CyrTMyEPD3DuRs4EQXP1YGoGf_zu2uu9Rznlt0aWtbK5jqwZqDEUuiFXCPkM-8v9rtMg1VQ62ExXZuK9GX5cm9etnSAAQ07GqJCss1L9bvKc-p--Pp5Qlx9f_TbNtE0nT8J7TR-EoMtm7rxVbbo2DS1HHQT9S9ESk7QnXlJAxbiHRx-38bzdCP16oNjpZ9dxgdRKySsvBvDOo7IY58eC2N1oNirLat9mBJm513VK_7cKSjSQhAmRyUor1pBWnp7JKZjyXpQIXVHF7diYbiTJ_oh_Col_Hk7Ec3zg; path=/; secure; samesite=lax; httponly

ConfigureExternalCookie should be the right one to deal with that. Why are you creating a new CookieBuilder rather than modifying the existing one?

Your request to /Account/ExternalLoginCallback also sets a cookie with SameSite: Set-Cookie: .AspNetCore.Identity.Application=CfDJ8Elg8Qw3o45IkiKXhK_kwNntz3o2CaXqhQK8CWSwyxQkhma5oOIVhc0F-4lFSN2P8uThkxJPLYU3HEgvyLsyM6vmDFCWSdUHoVBzsgRZa9xMjBU4ftPyXqvfHAbgLSoWp7rGb49AOOtCoKtXaKYzq5B2zUucK4CwrStVlFcMlsX485PvtXMmCwoCjv5pOixS90oC6cuy5AkpvSWARf2-tFIsgOFsj3y75hZ08nLqAvSVAMhq7LJ-upTIHngqzWkndXCE5kNyUPkHFYJKPt7qT42h00y5erwtHSmpf2BOYI9KS4AFzS-lik5rPoh6qU2Oz45UHt9AHAJfl9W2T-Zin50wV2fr0NxDLCuUJbIPOe0mJHDIeJ72RN9_JO1lFwdaTxAVmkpn6SI5xmKbreRAmrUkaRvLUzWxF25qBshicYpzLKKgIMmRYlbY8cRHuljhcUpnRhsF5cGDSihVinktc_CecaGkOwb7IV7ZxUwaaDWvozLNPa8B1kQyNTt2Nro_vdMnJ9P7u29R0Jd_hQA67icSafCut2kBZ9YIVDMruNqQDrG6EEGl8NJkXdllYvVu9IgD6xY3MqT5kWnfVwg3GCDbVRNYOYpx6F1v4DBqmirnMXve8Wp5F__Iey0Hoym3frK0OY47hVsgFXQs54Ab6e_TJzLhsszAN2qoF4aERTtUaZkVnWeDZ_8nFN-Pe-GKP9a5ejyPC8y8n60aKcs48fhtAQ5esbZ4kVHvIMiXreIt9zksSfaHK2zrOMdyPIBXB_pPWucoJmR9R8E5X56KUk0yRcsrNSTb4ufuxU4VtU-aoFF8tau0rNLSewBGbvo1XA; path=/; secure; samesite=lax; httponly

This one is configured by ConfigureApplicationCookie.

[eriksendc]

Hi @Tratcher ,

Regarding "Why are you creating a new CookieBuilder rather than modifying the existing one?", @blowdart 's original suggestions had that. In my more recent attempts I'm assigning the SameSite property of the existing one to SameSiteMode.None.

In the other thread I noticed someone had set CorrelationCookie.SameSite to SameSiteMode.None when populating the options for things like AddFacebook(). I'm not finding that to be necessary.

I do have a solution which sets SameSite for both ConfigureApplicationCookie() and ConfigureExternalCookie(). Thank you for jumping in and pointing me in the right direction and for looking at my Fiddler .saz file!

Two questions:

1. Does this issue stay open? Seems like Apple needs to be told that they've broken things, or that they're doing something wrong. I'm sure I wouldn't be the best one to articulate to Apple what they've done. I assume there's someone there at Microsoft that can authoritatively speak for Microsoft and will be listened to by Apple. What's the next step in fixing the real root cause?

2. Is GetYourPet.com going to be somehow less secure (and I mean, are users' accounts somehow less secure) by setting SameSite to SameSiteMode.None? I have to do this for now. As of yesterday Apple is now pushing iOS 12 with the "red dot on your settings app" reminder. I have to put this solution into production as soon as possible to stop a flood of support requests. But what risk am I undertaking implementing this workaround?

Again, many, many thanks, and thanks in advance for answers to these last two questions.

[blowdart]

Blowdart can be an idiot and get his code wrong.

So by following Chris's correct advice the risk here is minimal, as I believe it's only loosening the same site protection on the cookie we use during external authentication. After that process is completed the cookie we drop uses the more secure setting and is a different one. Although Chris might correct me here again :)

[eriksendc]

Hi @blowdart Thanks for pitching in on my question 2 above. Just a reminder I'd like to understand how Apple is engaged to get the root cause addressed (question 1 above). Thanks!

[blowdart]

Funnily enough I'm at a conference today with Apple security folks in attendance. It's arguable they're not doing the wrong thing here, the whole spec around same site was, well, not quite rigorous. It's almost like the HTML4 days again. I'll talk to them though :)

[Tratcher]

See https://github.com/IdentityServer/IdentityServer4/issues/2595#issuecomment-425068595 and https://bugs.webkit.org/show_bug.cgi?id=188165. Apple claims this is by design and every other browser is wrong.

@blowdart note he had to disable same site for both his external cookie and his main auth cookie. In other words, Apples implementation seems to negate the use of SameSite in any OAuth implementation. We'll want to verify this with a local repro.

[eriksendc]

Oh geez. Well, thanks Apple! :)

For posterity, anyone that wants to see a final before / after, here you go. This is code in Startup.cs inside ConfigureServices().

Before

services.ConfigureApplicationCookie(options =>
{
    options.AccessDeniedPath = new PathString("/Account/Login"); //If the logged in user doesn't have access to the page we redirect him to the login page.

    //Taken from https://devblog.dymel.pl/2016/07/07/return-401-unauthorized-from-asp-net-core-api/
    options.Events = new CookieAuthenticationEvents
    {
        OnRedirectToLogin = ctx =>
        {
            if (ctx.Request.Path.StartsWithSegments("/api") && ctx.Response.StatusCode == (int)HttpStatusCode.OK)
            {
                ctx.Response.StatusCode = (int)HttpStatusCode.ResetContent;
            }
            else
            {
                ctx.Response.Redirect(ctx.RedirectUri);
            }

            return Task.FromResult(0);
        }
    };
});

services.AddAuthentication()
        .AddFacebook(options =>
        {
            options.AppId = Configuration["Authentication:Facebook:AppId"];
            options.AppSecret = Configuration["Authentication:Facebook:AppSecret"];
            options.Scope.Add("email");
        })
        .AddGoogle(options =>
        {
            options.ClientId = Configuration["Authentication:Google:ClientId"];
            options.ClientSecret = Configuration["Authentication:Google:ClientSecret"];
        });

After

services.ConfigureApplicationCookie(options =>
{
    options.AccessDeniedPath = new PathString("/Account/Login"); //If the logged in user doesn't have access to the page we redirect him to the login page.

    //https://github.com/aspnet/Identity/issues/1970
    options.Cookie.SameSite = SameSiteMode.None;

    //Taken from https://devblog.dymel.pl/2016/07/07/return-401-unauthorized-from-asp-net-core-api/
    options.Events = new CookieAuthenticationEvents
    {
        OnRedirectToLogin = ctx =>
        {
            if (ctx.Request.Path.StartsWithSegments("/api") && ctx.Response.StatusCode == (int)HttpStatusCode.OK)
            {
                ctx.Response.StatusCode = (int)HttpStatusCode.ResetContent;
            }
            else
            {
                ctx.Response.Redirect(ctx.RedirectUri);
            }

            return Task.FromResult(0);
        }
    };
});

//https://github.com/aspnet/Identity/issues/1970
services.ConfigureExternalCookie(options =>
{
    options.Cookie.SameSite = SameSiteMode.None;
});

services.AddAuthentication()
        .AddFacebook(options =>
        {
            options.AppId = Configuration["Authentication:Facebook:AppId"];
            options.AppSecret = Configuration["Authentication:Facebook:AppSecret"];
            options.Scope.Add("email");
        })
        .AddGoogle(options =>
        {
            options.ClientId = Configuration["Authentication:Google:ClientId"];
            options.ClientSecret = Configuration["Authentication:Google:ClientSecret"];
        });

[eriksendc]

@Tratcher Something that just came to mind... given that this issue affects projects created with "File --> New Project" and following the various guides to implement "social sign in" (I just googled and every "how to set up social sign in" is lacking any mention of SameSite), I'm wondering if this warrants some kind of formal announcement on the repo where the announcements usually go? Am I allowed to do that, or is there some other person that should make up some kind of announcement? Seems like something that a lot of sites built with asp.net core are going to run into now that iOS 12 is officially being pushed to iPhones and iPads in the wild. What do you think?

[blowdart]

@Eilon @DamianEdwards Does this warrant an announcement, considering iOS12 and Safari broke us (and other OIDC providers)?

[Eilon]

@blowdart by all means.

[blowdart]

OK I'll kick off an email thread after triage.

[Tratcher]

@blowdart will write the announcement.

Temporary workarounds:

// With Identity
services.ConfigureExternalCookie(options =>
{
    options.Cookie.SameSite = SameSiteMode.None;
});
services.ConfigureApplicationCookie(options =>
{
    options.Cookie.SameSite = SameSiteMode.None;
});

// Without Identity
services.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options =>
{
      options.Cookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.None;
})

And link to https://github.com/IdentityServer/IdentityServer4/issues/2595#issuecomment-425068595 for IdentityServer based workarounds.

[blowdart]

Done. I'm closing the issue here, because it's not clear this is our fault :) https://github.com/aspnet/Announcements/issues/318