I just started using Okta in a new ASP.NET Core application yesterday. It was working fine, but I must have changed something, because now I’m getting a “Correlation failed” error when trying to test it.

I’m following the ASP.NET Core tutorial exactly:

public void ConfigureServices(IServiceCollection services)
{
    services.AddTransient<IFoo, Foo>();


   // ... etc ...

    services.AddAuthentication(options =>
        {
            options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            options.DefaultChallengeScheme = OktaDefaults.MvcAuthenticationScheme;
        })
        .AddCookie()
        .AddOktaMvc(new OktaMvcOptions
        {
            OktaDomain = "https://dev-XXXXXX.oktapreview.com",
            ClientId = "YYYYYYYYYY",
            ClientSecret = "ZZZZZZZZZZZ"
        });

    services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
}

public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
// ... snip ...

    app.UseAuthentication();

    app.UseMvc(routes =>
    {
        routes.MapRoute(
            name: "default",
            template: "{controller=Home}/{action=Index}/{id?}");
    });
}

And here are my Application general settings:

okta_settings_screenshot.png732×799 29 KB

I put an [Authorize] attribute on an action. I go to that action, I get redirected to Okta, I login, and here’s the error message I get after getting redirected back:

okta_exception.png845×807 52 KB

Any ideas what I might be doing wrong?

Hi @mgroves,

Your code looks fine so it should be configuration.

Regardless of the ASP.NET version you are using your login redirect uri should be
http://localhost:xxxx/authorization-code/callback in your App configuration.

@laura.rodriguez,

Thank you for the suggestion, but I think I broke something in the meantime. Now I’m getting an error like:

An unhandled exception occurred while processing the request.

HttpRequestException: Response status code does not indicate success: 404 (Not Found).

System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()

IOException: IDX20804: Unable to retrieve document from: ‘[PII is hidden]’.

Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(string address, CancellationToken cancel)

InvalidOperationException: IDX20803: Unable to obtain configuration from: ‘[PII is hidden]’.

Microsoft.IdentityModel.Protocols.ConfigurationManager<T>.GetConfigurationAsync(CancellationToken cancel)

And further, when I visit https://dev-662737.oktapreview.com/oauth2/default/.well-known/openid-configuration in a browser, I get:

{“errorCode”:“E0000007”,“errorSummary”:“Not found: Resource not found: default (AuthorizationServer)”,“errorLink”:“E0000007”,“errorId”:“oaehUNQ0bT9T9Khp1Su54r_Dw”,“errorCauses”:}

Any idea what I’m doing wrong?

Hey @mgroves! Sorry about the difficulty.

For the first issue (correlation failed), I want to double check a few things:

• You are using the Okta-hosted login page (not self-hosted in your application)
• If so, have you customized it at all? Or is it “stock”?

On the second issue (404), can you confirm what you see in the web console under API > Authorization Servers?

@nate.barbettini,

Yes I’m using Okta-hosted page. No it’s not customized. Under API > Authorization servers it says “Nothing to show”. Maybe I mistakenly deleted it?

I added an Authorization server, but I still get the same error.

Hey @mgroves,

Can you tell me what are the settings of the Authorization server you have created?
You can see this in the Settings tab after clicking the Authorization Server.

Here’s a screencap

okta settings.png750×545 21.7 KB

It seems you have removed the default AS. Is there any reason why did you do it?
The Okta ASP.NET middleware uses the default AS by default, but you can still configure it to use your custom AS.
Add the next line in your OktaMvcOptions

AuthorizationServerId = "auslewqw....";

Here you can see how we create the issuer url:

Also, you might need to create a new access policy for your AS, if you don’t have any specific requirements create a new one with a policy rule and keep the default settings.
You can do this by clicking the Access Policies tab.

I hope this helps.

I was messing around, trying to get something to work. Other than that, no reason. Is there any way to restore the default AS?

Unfortunately, it’s not possible to restore the default. But you should be fine by creating a new access policy with a default policy rule.
Also, the default Audience is api://default you can set this as well.

I’m making some progress, I guess. After creating a AS with a rule and specifying that in the OktaMvcOptions, I’m finally past that 404 error. But now I’m back to the some “Correlation failed” exception again.

Do you have your code on GitHub so I can take a look?

@laura.rodriguez,

That’s a good call. I can’t share the project, but I decided to create a minimum reproduction project to share with you instead. When I did this, it worked fine! So I did a quick compare and figured out the problem:

ASPNET Core MVC template by default includes this in Startup.cs -> ConfigureServices:

    services.Configure<CookiePolicyOptions>(options =>
    {
        // This lambda determines whether user consent for non-essential cookies is needed for a given request.
        options.CheckConsentNeeded = context => true;
        options.MinimumSameSitePolicy = SameSiteMode.None;
    });

And this in Startup.cs -> Configure:

app.UseCookiePolicy();

I had removed the part from ConfigureServices but not from Configure. I tested it, and I need to have both removed or both included, otherwise I will get the correlation error. Thank you for helping me solve this!

I am glad you were able to fix it!

Not sure if you have seen this before, but you can always check out our ASP.NET samples on GitHub:

Happy coding!

That is super interesting. aspnetcore saves a local cookie right before it redirects to Okta (this is built into aspnetcore, not an Okta thing) to save state and prevent CSRF on the redirect. Without the right cookie policy, it was probably being blocked somewhere.

Glad you got it working!

FYI, there isn’t anything special about the default AS - other than being a shortcut to having to create all the access policies from scratch. If you create one yourself, you can just define those policies and it works the same way.

I’m having another issue where I’m getting a “correlation failed” error, but this time it’s after the user clicks the “verify email” link from the email they receive. Everything else still works fine. I didn’t notice this until recently, because I had already verified my email address before I started coding (but now other people are trying it out).

Another piece of information: I also get this exact same error when using the okta-aspnetcore-mvc-example. (I did make one minor change to specify the AuthorizationServerId, see above, but otherwise I’m using the stock example).

Confirming as above. used the okta-aspnetcore-mvc-example and my custom .net core app, and getting the below error:

An unhandled exception occurred while processing the request.
Exception: Correlation failed.
Unknown location
Exception: An error was encountered while handling the remote login.
Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler<TOptions>.HandleRequestAsync()

This issue might cause because of your login URL might be change from Account/Login to any other url. As Identity has default url is Account/login. For more detail you can find in below document
http://docs.identityserver.io/en/latest/topics/signin.html
I have resolved this issue by adding below line

        services.AddIdentityServer(options =>
        {                 
            options.UserInteraction.LoginUrl = new PathString("/AccountUI/Login");
            options.UserInteraction.LogoutUrl = new PathString("/AccountUI/Logout");
        })

Hope this helps