search

aspnet / Security

[Archived] Middleware for security and authorization of web apps. Project moved to https://github.com/aspnet/AspNetCore
Apache License 2.0
1.27k stars 599 forks source link

Correlation failed error #1839

Closed jaydubal closed 6 years ago

jaydubal commented 6 years ago

After upgrading to .net core 2.1 from version 2.0 it breaks the Google OIDC middleware, if cookie option is set as SameSite = SameSiteMode.Strict it throws this error: Correlation failed.

Error goes away if above cookie options is not set. It used to work in .net core 2.0

Tratcher commented 6 years ago

Which cookie did you set that on? SameSite is not compatible with oath.

jaydubal commented 6 years ago 
 services.AddAuthentication(options =>
                {
                    options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                    options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                    options.DefaultChallengeScheme = GoogleDefaults.AuthenticationScheme;
                })
               .AddCookie(options =>
                {
                   options.ExpireTimeSpan = TimeSpan.FromMinutes(60);
                   options.SlidingExpiration = true;
                   options.Cookie.HttpOnly = true;
                   // options.Cookie.SameSite = SameSiteMode.Strict; **// fails in .net core 2.1**
                   options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
                })
                        .AddGoogle(googleOptions =>
                {
                    googleOptions.SaveTokens = true;
                    googleOptions.ClientId = Configuration["Authentication:Google:ClientId"];
                    googleOptions.ClientSecret = Configuration["Authentication:Google:ClientSecret"];
                });
jaydubal commented 6 years ago

The above code (without the comment line) worked fine with .net core 2.0

Tratcher commented 6 years ago

Hmm, little or nothing has changed for SameSite in 2.1. Also the SameSite policy is enforced by the client/browser, not by the server.

The next step would be to compare a Fiddler trace of 2.0 vs 2.1 to make sure the content is the same.

Eilon commented 6 years ago

@jaydubal can you provide the additional trace information so that we can continue investigating?

jaydubal commented 6 years ago 
Microsoft.AspNetCore.Hosting.Internal.WebHost:Information: Request starting HTTP/1.1 GET http://localhost:44331/signin-google?state=CfDJ8GOHKAnratFDtqjP8iyIsPeT8PlV2yxalsquIFqLCCFfbxx3AB5z7ankbLYyGZc7YtdXaKC1J2o8WfuxhH969WW9jEi6V-k2_7VbvlRd7C2K_DcsSZyQ4fQIUIoUlAhP81BWmSd5ESAdXudCocTF9HvRd18iqJU-usIQ0qH-nyCeNTXpOF8y1CodCyPVCnfjokvFao6oq1yXDCIz3ADq4Z4EKXyY3vtrDsv06jKZQJTix0tLLu-k7L_oFT7dNXPX6Q&code=4/RQAm04slxThsj8KkEviqawI7GFXYECFLQLUqKskxwIRzJfVmM2cxOw0CDBWTza-BA0nd1x4V7BSQXAVS5j-Rnqw&authuser=0&session_state=436798bd74297d9fdfe7a41ec675ee4b7c706fec..e474&prompt=none  
Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler:Information: AuthenticationScheme: Cookies signed in.
Microsoft.AspNetCore.Hosting.Internal.WebHost:Information: Request finished in 633.727ms 302 
Microsoft.AspNetCore.Hosting.Internal.WebHost:Information: Request starting HTTP/1.1 GET http://localhost:44331/signin-google?state=CfDJ8GOHKAnratFDtqjP8iyIsPeT8PlV2yxalsquIFqLCCFfbxx3AB5z7ankbLYyGZc7YtdXaKC1J2o8WfuxhH969WW9jEi6V-k2_7VbvlRd7C2K_DcsSZyQ4fQIUIoUlAhP81BWmSd5ESAdXudCocTF9HvRd18iqJU-usIQ0qH-nyCeNTXpOF8y1CodCyPVCnfjokvFao6oq1yXDCIz3ADq4Z4EKXyY3vtrDsv06jKZQJTix0tLLu-k7L_oFT7dNXPX6Q&code=4/RQAm04slxThsj8KkEviqawI7GFXYECFLQLUqKskxwIRzJfVmM2cxOw0CDBWTza-BA0nd1x4V7BSQXAVS5j-Rnqw&authuser=0&session_state=436798bd74297d9fdfe7a41ec675ee4b7c706fec..e474&prompt=none  
Microsoft.AspNetCore.Authentication.Google.GoogleHandler:Warning: **'.AspNetCore.Correlation.Google.n07VBrQN7nCB99KvrMDsGevPyXjUffJwjqWY0pNHkhI' cookie not found.**
Microsoft.AspNetCore.Authentication.Google.GoogleHandler:Information: Error from RemoteAuthentication: Correlation failed..
'dotnet.exe' (CoreCLR: clrhost): Loaded 'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\2.1.2\System.Diagnostics.StackTrace.dll'. Skipped loading symbols. Module is optimized and the debugger option 'Just My Code' is enabled.
'dotnet.exe' (CoreCLR: clrhost): Loaded 'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\2.1.2\System.Reflection.Metadata.dll'. Skipped loading symbols. Module is optimized and the debugger option 'Just My Code' is enabled.
Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware:Error: An unhandled exception has occurred while executing the request.

System.Exception: An error was encountered while handling the remote login. ---> System.Exception: Correlation failed.
   --- End of inner exception stack trace ---
   at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)
Microsoft.AspNetCore.Hosting.Internal.WebHost:Information: Request finished in 409.328ms 500 text/html; charset=utf-8
Eilon commented 6 years ago

@jaydubal do you have a Fiddler or similar network trace so that we can see the headers, including cookies and values?

Tratcher commented 6 years ago

That log says "Request Starting" twice with the same url. The first one succeeded and the second failed. That failure is expected as it resembles a replay attack. What was the client doing that caused /signin-google to be invoked twice?

jaydubal commented 6 years ago

All code works fine in .net 2.0, change to .net 2.1 and code will fail, comment "options.Cookie.SameSite = SameSiteMode.Strict" and code again works in 2.1 also.