skoruba
commented
4 years ago Hi @alvarovalle did you change the default configuration? :) Please, check detailed log.
Open alvarovalle opened 4 years ago
skoruba
commented
4 years ago Hi @alvarovalle did you change the default configuration? :) Please, check detailed log.
alvarovalle
commented
4 years ago nops.
by the way, I am running out of container.
I am just running dotnet run over both of them.
fahaad05
commented
4 years ago I have the same issue, and I'm pretty sure that it's linked to SameSite cookie changes issue. In fact I had no problem with Mozilla
Hi Skoruba, I am having the following problem, when I run the band new version, from the scratch.
I ve followed all those steps in https://github.com/skoruba/IdentityServer4.Admin and however it runs : I am running two apps http://localhost:9000 for \IdentityServer4.Admin\src\Skoruba.IdentityServer4.Admin http://localhost:5000 for \IdentityServer4.Admin\src\Skoruba.IdentityServer4.STS.Identity
all the others steps went fine ( including miggrations )
but when I ran, then I ve got the following situation
skoruba
commented
4 years ago Thanks guys for reporting this. I will fix it.
alvarovalle
commented
4 years ago @fahaad05 that is it. I ve tryed in mozilla firefox and that worked on it.
but what makes me think is that my costumers will want to run on chrome browser.
so I am not sure if it has o be hot-fixed in skoruba or in https://identityserver.io/
What do you suggest mr @skoruba ?
by the way check it out
skoruba
commented
4 years ago Hi, I fixed this issue here: https://github.com/skoruba/IdentityServer4.Admin/commit/12f62d9dc12c76056ec5811c42b8d43a20465a4d - please try clone dev branch and verify this fix. Thanks.
pfaustinopt
commented
4 years ago Hello, this is still happening on chrome (version 80.0.3987.132).
Just like @alvarovalle said, on firefox it works correctly. However, for curiosity I've tried to access http://localhost:9000/signin-oidc directly on firefox and got the same error (I don't know if this is the normal behaviour or not).
skoruba
commented
4 years ago Hi, did you use latest dev branch? Thx
myesn
commented
4 years ago Google Chrome: Version 80.0.3987.149 (official version) (64-bit)
I found that many people have problems after updating chrome recently, the dev version still reports an error, just the Chrome browser will report an error, Microsoft Edge and Firefox browsers will work
My error message is the same as above
CaminGui
commented
4 years ago Hello,
Just to share what was done on my side to make it works (I'm still on the beta7 due to the number of changes). First of all, you can read this: https://www.thinktecture.com/en/identity/samesite/prepare-your-identityserver/?fbclid=IwAR2nIi3CBKLZ-JJLSGVfXLTW_2oQQCSgTpxm80UDNjkiJBD_5tiTN9YikyM with almost the same code as Skoruba already have done in 3 différents commits: https://github.com/skoruba/IdentityServer4.Admin/commit/12f62d9dc12c76056ec5811c42b8d43a20465a4d https://github.com/skoruba/IdentityServer4.Admin/commit/b346c5fbaf9dbc368d290eb46dadcff056632f20 https://github.com/skoruba/IdentityServer4.Admin/commit/b4921fc7e2ad1ab6c236844a5c7fd92a81f07ce6
The only changes on my side is on the last commit, I put options.Secure = CookieSecurePolicy.Always; and not options.Secure = CookieSecurePolicy.SameAsRequest;
You can see that this line was not referenced in my first link, this was an issue and have to add it manually.
I think the fix is the same for https://github.com/skoruba/IdentityServer4.Admin/issues/532
You can try your changes by changing this flag in chrome: chrome://flags/#cookies-without-same-site-must-be-secure, it should works with enabled / disabled value.
myesn
commented
4 years ago @CaminGui Hi, I have read this article you provided before, and I also modified my other applications in accordance with the practices in the article, but the Conrrelation failed error still appears above, and I found a strange thing, the same version of Chrome Browser, my colleague can log in normally, but not my computer.
pfaustinopt
commented
4 years ago Hi, did you use latest dev branch? Thx
I applied the commit 12f62d9 on my project, which is based on your master branch.
skoruba
commented
4 years ago Please check all changes in dev.
pfaustinopt
commented
4 years ago Ok, I'll try it now and report it back to you.
CaminGui
commented
4 years ago @CaminGui Hi, I have read this article you provided before, and I also modified my other applications in accordance with the practices in the article, but the Conrrelation failed error still appears above, and I found a strange thing, the same version of Chrome Browser, my colleague can log in normally, but not my computer.
@myesn, Can you try to disable this chrome://flags/#cookies-without-same-site-must-be-secure, you should be able to login and then take a look on your cookies, they should be SameSite = None and Secure.
Untill this is not the case it will not work with the cookies-without-same-site-must-be-secure flag set to default / enabled
myesn
commented
4 years ago @CaminGui Thank you, now it can work normally
pfaustinopt
commented
4 years ago @skoruba I keeps happening on the dev branch. However, the solution provided by @CaminGui is working!
myesn
commented
4 years ago @pfaustinopt IdentityServer4 author has reported issues to aspnetcore official
https://github.com/IdentityServer/IdentityServer4/issues/4170 https://github.com/dotnet/aspnetcore/issues/19939
blowdart
commented
4 years ago And we won't be "fixing" it. It's by design. You should be running over https, especially for identity server installations
skoruba
commented
4 years ago I will switch dev environment to https #550.
cculver
commented
4 years ago We recently ran into an issue on another project that seems similar to this. We found that google seems to be selectively deploying new requirements to browsers to adhere to the cookie behavior where samesite=none must be accompanied by the secure flag. The fact that they're deploying it selectively to some clients but not others (with the same version) might be making this more confusing. I mean, I could be wrong about that but it seems that's what they were doing based on our internal testing. So, to the fix.
services.AddAuthentication(options => { ... }) ... .AddOpenIdConnect("oidc", options => { options.NonceCookie.SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.Always; options.CorrelationCookie.SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.Always; });
This worked for our stuff. I'm not sure it applies here because honestly i'm just revisiting the project and saw this issue and it rang a bell.
cculver
commented
4 years ago Additionally, I should add that there are definitely installations that run over http behind a reverse proxy or on kubernetes in a private environment and don't encrypt the backend traffic. I agree that best practice should be to run over https, but there are certain exceptions that are acceptable
yuft
commented
4 years ago @cculver thanks a lot for this. I was having infinite redirect with Chrome only and I have TLS termination at Ingress. you solution made Chrome happy!
JudahMorrison
commented
1 year ago Yes, Thanks @cculver!!! I wasted entirely way too much time on this, and your solution fixed it for me.
Hi Skoruba, I am having the following problem, when I run the band new version, from the scratch.
I ve followed all those steps in https://github.com/skoruba/IdentityServer4.Admin and however it runs : I am running two apps http://localhost:9000 for \IdentityServer4.Admin\src\Skoruba.IdentityServer4.Admin http://localhost:5000 for \IdentityServer4.Admin\src\Skoruba.IdentityServer4.STS.Identity
all the others steps went fine ( including miggrations )
but when I ran, then I ve got the following situation