search

dotnet / aspnetcore

ASP.NET Core is a cross-platform .NET framework for building modern cloud-based web applications on Windows, Mac, or Linux.
https://asp.net
MIT License
35.2k stars 9.94k forks source link

Google Auth HttpContext.ChallengeAsync() ends with AuthenticationFailureException in .Net 8 but not .Net 7 #53562

Open danielheddelin opened 7 months ago

danielheddelin commented 7 months ago

Is there an existing issue for this?

Describe the bug

Repro repo here: https://github.com/danielheddelin/WebApplication2

"Microsoft.Aspnet.Authentication.RemoteAuthenticationHandler.HandleRequestAsync(...)"

Using Google Auth in the .Net core backend for Challenge/Auth works in .Net 7 but breaks with "Correlation failed" in .Net 8. The only thing needed to get the repro to work is to change from "net8.0" to "net7.0" in the csproj. The repro uses .Net 7 versions of Microsoft.AspNetCore.Authentication.Google and Microsoft.AspNetCore.Authentication.JwtBearer but the .Net 8 versions make no difference so the error occurs inside .Net.

This is the error shown in the Pixel 5 emulator: image

Looking closer at RemoteAuthenticationHandler, two previous "throw new Exception" was changed to "throw new AuthenticationFailureException 9 months ago, looking here: https://github.com/dotnet/aspnetcore/blame/afb5f4dfc3d0ad59d0b2d0ed82a2faa2c7dc5487/src/Security/Authentication/Core/src/RemoteAuthenticationHandler.cs#L134

Expected Behavior

Expected: 1: await Request.HttpContext.ChallengeAsync(scheme); is being called. 2: Challenge is presented in UI. 3: User is redirected back to the endpoint where auth is successful and logic continues.

Acual: 1: await Request.HttpContext.ChallengeAsync(scheme); is being called. 2: Challenge is presented in UI. 3: UI shows error according to image above.

Steps To Reproduce

Minimal repro repo: https://github.com/danielheddelin/WebApplication2

1: Change to appropriate audience/issure/key for gogle auth. 2: Run a client towards the controller. 3: Watch how challengeAsync is called whereafter the client fails.

Now change the .net version to 7, rebuild, retry and it works.

Exceptions (if any)

image

.NET Version

net8.0

Anything else?

Absolutely everything else is identical both client- (MAUI) and serverside.

martincostello commented 7 months ago

A common cause of this error is the correlation cookie not being persisted (or HTTPS/secure being correctly configured) so the correlation cookie is "lost", which then breaks the auth flow as the correlation fails. Is HTTPS set up correctly in the emulator so that things flow correctly? I see there's a warning triangle in the address bar (unless that's just reflecting the HTTP 500).

I took a look at the repro, and it doesn't look like there's anything been reconfigured that might break it, such as SameSite options.

danielheddelin commented 7 months ago

I am currently running it locally just using http. However, when publishing it to my appservice and using https the behavior is the same. So whether using http locally or https towards Azure - .Net 7 works flawlessly and .Net8 breaks.

CelloLiu commented 7 months ago

I'm using Net 8 MAUI & Blazor hybrid, after calling this line "await context.ChallengeAsync("Google");" in asp.net core 8 api, I got the accessToken related info on a page right away on both my google emulator or my android device instead of redirect back to the api for further processing, why and how to fix this? Thanks

MoeHamdan commented 4 months ago

Same issue happens with MVC app, when configured similar to https://learn.microsoft.com/en-us/aspnet/core/security/authentication/claims?view=aspnetcore-8.0. Before with previous versions it is working correctly, however when jut upgrading to .net 8 it fails.

'.AspNetCore.Correlation.xxxxxxxxxxxxxxxxxxxxxxx' cookie not found. After it I get a correlation error.

Microsoft.AspNetCore.Authentication.AuthenticationFailureException: An error was encountered while handling the remote login.\r\n ---> Microsoft.AspNetCore.Authentication.AuthenticationFailureException: Correlation failed. at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()

namilkimfree commented 3 months ago

I am the same.

There is no problem in .NET7 .NET8 version changes and After updating to Package 8.0.5 and proceeding with Google login, {"Correlation failed."} occurs and moves to the Google account selection screen again.

It repeats infinitely.

MoeHamdan commented 3 months ago

In my case I was having the issue with http, setting options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest; fixed it for me. image

halter73 commented 2 weeks ago

@danielheddelin I took a look at the repro at https://github.com/danielheddelin/WebApplication2, but I wasn't able to see the issue when navigating to /mobileauth/Google and then logging in with my Google account. Everything seems to work fine before attempting to create a JWT. I didn't make any changes aside from specifying my own ClientId and ClientSecret from https://console.cloud.google.com/apis/credentials

Successful auth in a debugger

It later fails when it tries to create a SecurityToken with the 40-bit "MYKEY" when HMAC-SHA256 requires at least a 128-bit key given the existing JwtSecurityTokenHandler version. I think the minimum is 256-bits for the newer JsonWebTokenHandler, but I digress. I could lengthen the key of course, but I think this demonstrates that login still works.

Is this something that only repros with a specific Android system image? If so, what version of the android emulator and what browser? I tried it using UpsiedDownCake (System Image API 34 (revision 14)" with the Pixel 5 profile.