[Asp.net] IDX21323 on Chrome

gls · August 21, 2020, 8:55am

I downloaded the sample asp.net app (https://github.com/okta/samples-aspnet/tree/master/okta-hosted-login) and configured it.

Please note that I didn’t change anything, I just followed the tutorial

Everything works fine in Edge (i.e. I can login without problem), but if I use the app in chrome i get the following message:

IDX21323: RequireNonce is ‘System.Boolean’. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don’t need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to ‘false’. Note if a ‘nonce’ is found it will be evaluated.

This seems a “bug” introduced after chrome 80.

I already searched the web but the only solution that works for me is to disable a flag in chrome:

This is obviously not acceptable for a productive web app with a lot of users.

Other solutions, like intercepting the error and perform some redirect, are not working for me.

Can you please help?

jharris · October 15, 2020, 4:59pm

I am experiencing the same issue in Chrome.

It looks like cookies coming from the openIDconnect login are sent without the secure attribute.

Has anyone found a solution?

Lijia · October 23, 2020, 4:03pm

@gls
@jharris

Hi, this seems to be related to the SameSite changes that the latest version of Chrome has introduced.

Please refer the below doc. This will give you some background knowledge.

"Chrome has introduced changes that affect the handling of cross-site cookies. Prior to this change cookies were treated as cross-site by default and the SameSite cookie attribute was opt-in. With this change, the new default will be SameSite=Lax , and cookies that need to work cross-site must be explicitly labeled with a new SameSite=None attribute value. Additionally this will require HTTPS (not plaintext HTTP) because browsers will ignore the SameSite=None attribute unless it is accompanied by the Secure attribute. "

You can refer the workarounds suggested by MS that should be done at the application level: https://devblogs.microsoft.com/aspnet/upcoming-samesite-cookie-changes-in-asp-net-and-asp-net-core/

If you still have any other questions, I suggest you look into this GH issue and post your questions.

gpadma · November 6, 2020, 7:57am

Hi @gls @jharris ,
Which version of Chrome are you using ?

I would like to add this is caused by the new security implementation launched in version 80.

If enabled, cookies without SameSite restrictions must also be Secure. If a cookie without SameSite restrictions is set without the Secure attribute, it will be rejected.

For the cookies to be set with ‘secure’ attribute, you have to make sure the communication is https and not http. I suggest you to check the configuration in your application and environment(proxy, load balancer…) to make sure the protocol is https.

You can however disable (may not be recommended) this in chrome://flags but it is now enabled by default

#cookies-without-same-site-must-be-secure

You’ll have to restart chrome once you’ve set this to disabled.