skoruba / IdentityServer4.Admin

The administration for the IdentityServer4 and Asp.Net Core Identity
MIT License
3.57k stars 1.15k forks source link

System.Exception: Correlation failed. #535

Open alvarovalle opened 4 years ago

alvarovalle commented 4 years ago

Hi Skoruba, I am having the following problem, when I run the band new version, from the scratch.

I ve followed all those steps in https://github.com/skoruba/IdentityServer4.Admin and however it runs : I am running two apps http://localhost:9000 for \IdentityServer4.Admin\src\Skoruba.IdentityServer4.Admin http://localhost:5000 for \IdentityServer4.Admin\src\Skoruba.IdentityServer4.STS.Identity

all the others steps went fine ( including miggrations )

but when I ran, then I ve got the following situation

image

skoruba commented 4 years ago

Hi @alvarovalle did you change the default configuration? :) Please, check detailed log.

alvarovalle commented 4 years ago

nops.

by the way, I am running out of container.

I am just running dotnet run over both of them.

fahaad05 commented 4 years ago

I have the same issue, and I'm pretty sure that it's linked to SameSite cookie changes issue. In fact I had no problem with Mozilla

Hi Skoruba, I am having the following problem, when I run the band new version, from the scratch.

I ve followed all those steps in https://github.com/skoruba/IdentityServer4.Admin and however it runs : I am running two apps http://localhost:9000 for \IdentityServer4.Admin\src\Skoruba.IdentityServer4.Admin http://localhost:5000 for \IdentityServer4.Admin\src\Skoruba.IdentityServer4.STS.Identity

all the others steps went fine ( including miggrations )

but when I ran, then I ve got the following situation

image

skoruba commented 4 years ago

Thanks guys for reporting this. I will fix it.

alvarovalle commented 4 years ago

@fahaad05 that is it. I ve tryed in mozilla firefox and that worked on it.

but what makes me think is that my costumers will want to run on chrome browser.

so I am not sure if it has o be hot-fixed in skoruba or in https://identityserver.io/

What do you suggest mr @skoruba ?

by the way check it out

hotfix

skoruba commented 4 years ago

Hi, I fixed this issue here: https://github.com/skoruba/IdentityServer4.Admin/commit/12f62d9dc12c76056ec5811c42b8d43a20465a4d - please try clone dev branch and verify this fix. Thanks.

pfaustinopt commented 4 years ago

Hello, this is still happening on chrome (version 80.0.3987.132).

2020-03-17 13_36_00-Window

Just like @alvarovalle said, on firefox it works correctly. However, for curiosity I've tried to access http://localhost:9000/signin-oidc directly on firefox and got the same error (I don't know if this is the normal behaviour or not).

skoruba commented 4 years ago

Hi, did you use latest dev branch? Thx

myesn commented 4 years ago

Google Chrome: Version 80.0.3987.149 (official version) (64-bit)

I found that many people have problems after updating chrome recently, the dev version still reports an error, just the Chrome browser will report an error, Microsoft Edge and Firefox browsers will work

My error message is the same as above

CaminGui commented 4 years ago

Hello,

Just to share what was done on my side to make it works (I'm still on the beta7 due to the number of changes). First of all, you can read this: https://www.thinktecture.com/en/identity/samesite/prepare-your-identityserver/?fbclid=IwAR2nIi3CBKLZ-JJLSGVfXLTW_2oQQCSgTpxm80UDNjkiJBD_5tiTN9YikyM with almost the same code as Skoruba already have done in 3 différents commits: https://github.com/skoruba/IdentityServer4.Admin/commit/12f62d9dc12c76056ec5811c42b8d43a20465a4d https://github.com/skoruba/IdentityServer4.Admin/commit/b346c5fbaf9dbc368d290eb46dadcff056632f20 https://github.com/skoruba/IdentityServer4.Admin/commit/b4921fc7e2ad1ab6c236844a5c7fd92a81f07ce6

The only changes on my side is on the last commit, I put options.Secure = CookieSecurePolicy.Always; and not options.Secure = CookieSecurePolicy.SameAsRequest;

You can see that this line was not referenced in my first link, this was an issue and have to add it manually.

I think the fix is the same for https://github.com/skoruba/IdentityServer4.Admin/issues/532

You can try your changes by changing this flag in chrome: chrome://flags/#cookies-without-same-site-must-be-secure, it should works with enabled / disabled value.

myesn commented 4 years ago

@CaminGui Hi, I have read this article you provided before, and I also modified my other applications in accordance with the practices in the article, but the Conrrelation failed error still appears above, and I found a strange thing, the same version of Chrome Browser, my colleague can log in normally, but not my computer.

pfaustinopt commented 4 years ago

Hi, did you use latest dev branch? Thx

I applied the commit 12f62d9 on my project, which is based on your master branch.

skoruba commented 4 years ago

Please check all changes in dev.

pfaustinopt commented 4 years ago

Ok, I'll try it now and report it back to you.

CaminGui commented 4 years ago

@CaminGui Hi, I have read this article you provided before, and I also modified my other applications in accordance with the practices in the article, but the Conrrelation failed error still appears above, and I found a strange thing, the same version of Chrome Browser, my colleague can log in normally, but not my computer.

@myesn, Can you try to disable this chrome://flags/#cookies-without-same-site-must-be-secure, you should be able to login and then take a look on your cookies, they should be SameSite = None and Secure.

cookies

Untill this is not the case it will not work with the cookies-without-same-site-must-be-secure flag set to default / enabled

myesn commented 4 years ago

@CaminGui Thank you, now it can work normally

pfaustinopt commented 4 years ago

@skoruba I keeps happening on the dev branch. However, the solution provided by @CaminGui is working!

myesn commented 4 years ago

@pfaustinopt IdentityServer4 author has reported issues to aspnetcore official

https://github.com/IdentityServer/IdentityServer4/issues/4170 https://github.com/dotnet/aspnetcore/issues/19939

blowdart commented 4 years ago

And we won't be "fixing" it. It's by design. You should be running over https, especially for identity server installations

skoruba commented 4 years ago

I will switch dev environment to https #550.

cculver commented 4 years ago

We recently ran into an issue on another project that seems similar to this. We found that google seems to be selectively deploying new requirements to browsers to adhere to the cookie behavior where samesite=none must be accompanied by the secure flag. The fact that they're deploying it selectively to some clients but not others (with the same version) might be making this more confusing. I mean, I could be wrong about that but it seems that's what they were doing based on our internal testing. So, to the fix.

services.AddAuthentication(options => { ... }) ... .AddOpenIdConnect("oidc", options => { options.NonceCookie.SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.Always; options.CorrelationCookie.SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.Always; });

This worked for our stuff. I'm not sure it applies here because honestly i'm just revisiting the project and saw this issue and it rang a bell.

cculver commented 4 years ago

Additionally, I should add that there are definitely installations that run over http behind a reverse proxy or on kubernetes in a private environment and don't encrypt the backend traffic. I agree that best practice should be to run over https, but there are certain exceptions that are acceptable

yuft commented 4 years ago

@cculver thanks a lot for this. I was having infinite redirect with Chrome only and I have TLS termination at Ingress. you solution made Chrome happy!

JudahMorrison commented 1 year ago

Yes, Thanks @cculver!!! I wasted entirely way too much time on this, and your solution fixed it for me.