"Coorelation failed" at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()

I followed the instructions in Add an External Identity Provider

I created an application in Okta and configured Google as my IDP. I created this Authorization Url

https://dev-251753.okta.com/oauth2/v1/authorize?idp=0oa25cniz0jOV5S8u357&client_id=0oa25ces7erAiw8OJ357&response_type=id_token&response_mode=fragment&scope=openid&redirect_uri=https://localhost:5001/authorization-code/callback &state=abcd&nonce=efga

Visiting this url immediately redirects me to https://localhost:5001/authorization-code/callback#id_token=eyJraWQiOiJYeEk… (I truncated the url because value of id_token is quite long). Is this the expected behaviour? Shouldn’t I be redirected to a Google Sign Page where I can authenticate and only after I successfully authenticate, I should be redirected back to https://localhost:5001/authorization-code/callback with some token?

Hi @andrewliang

If you open the browser’s network console, do you see a redirect to Google in the sequence of calls? Also, if you decode the ID token, what is the value from “idp” claim: the IDP ID (eg. 0oa25cniz0jOV5S8u357) or the tenant’s ID (which starts with 00o)?

Sorry for the late reply, this work is outside of my 9-5 job.

To answer your question, I don’t see redirects from Google. However, I do see the following from okta. Far below is the raw HTTP request/response. I’m not too concerned about tokens being exposed to the public, this is for a pet project that’s running locally.

Also, I noticed a typo in the redirect_uri query parameter. Once I fixed, cleared my cookies, I was able to see Google’s IDP login screen. Hurray!

However, after I’m authenticated, I still getting the darn “Coorelation Failed” error

Below is the stacktrace:
at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler1.<HandleRequestAsync>d__12.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter1.GetResult()
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.d__6.MoveNext()
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware.d__7.MoveNext()
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at ProjectXYZ.UI.ProjectXYZExceptionMiddleware.d__3.MoveNext() in H:@ProjectXYZ-2019\ProjectXYZ.UI\ProjectXYZExceptionMiddleware.cs:line 29

Would you know why I’m getting this “Coorelation Failed” error? Thanks

*Note: To get around your maximum 5 link policy, I had to replace “https:” with “https_:”, “.com” with “.ccom” and “.io” with .iio"

HTTP Request
GET https_://dev-251753.okta.ccom/oauth2/v1/authorize?idp=0oa25cniz0jOV5S8u357&client_id=0oa25ces7erAiw8OJ357&response_type=id_token&response_mode=fragment&scope=openid&redirect_uri=https%3A%2F%2Flocalhost%3A5001%2Fauthorization-code%2Fcallback&state=abcd&nonce=efgas HTTP/1.1
Host: dev-251753.okta.ccom
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Sec-Fetch-User: ?1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: navigate
Referer: https_://localhost:5001/deals
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: __cfduid=d3cce8a67ec1d0e63a7698cb86f6c36441575248307; _vwo_uuid_v2=D1E1D375E5AE0C8E8B4F24B0934F6DFDB|17493d25aa4faee6e106c1c0f30b7732; _vwo_uuid=D1E1D375E5AE0C8E8B4F24B0934F6DFDB; _vis_opt_exp_291_combi=1; _okta_original_attribution={%22utm_page%22:%22/%22%2C%22utm_date%22:%2212/01/2019%22}; _gcl_au=1.1.334866357.1575248308; _mkto_trk=id:380-NLU-416&token:_mch-okta.ccom-1575248308008-44603; _ga=GA1.2.2128557931.1575248308; cb_group_id=null; cb_user_id=null; cb_anonymous_id=%22c5e1496b-8577-4ccc-8f6a-3bf0ca298c1e%22; _fbp=fb.1.1575248308510.206948921; _vis_opt_exp_291_goal_2=1; _hly_vid=e0d75b2e-c3e8-41dd-be53-c1f141a82ad9; DT=DI03iQRbo3kTO2cUikow83Sww; proximity_9ad182b75b8da731130b050565717a4a=NzNfVLTcGmIlOlH5OFW24qDUOC4tATmg6znnBGOEoi78kz6Bbb7dbw0QIZaCjxT54oDZeKcD1AQxXA4S6gr+snMFtyaxzd55KeaWD8fN8Sm46J48mmJSovMoUpnS3BF2/U0prcQ4Urk5Lsu+cx1StHlyZg39UlELedjJ6zVTkqflN5j+zbFkOmr92voS76jO; mp_f46f8e1c3b1b293b7bea7dfd682939a6_mixpanel=%7B%22distinct_id%22%3A%20%2216ee11b2007293-0bf5c143b434b6-2393f61-4b9600-16ee11b2008aca%22%2C%22%24device_id%22%3A%20%2216ee11b2007293-0bf5c143b434b6-2393f61-4b9600-16ee11b2008aca%22%2C%22%24initial_referrer%22%3A%20%22https%3A%2F%2Fdev-251753.okta.ccom%2Fuser%2Fnotifications%22%2C%22%24initial_referring_domain%22%3A%20%22dev-251753.okta.ccom%22%2C%22env%22%3A%20%22PROD%22%7D; _pendo_accountId.f8bd2822-002a-478f-66a9-0178efd7ee1f=00o25cc4kyN8VDGQI357; _pendo_visitorId.f8bd2822-002a-478f-66a9-0178efd7ee1f=00u25cc4ocklhVVA7357; _hp2_props.3356162945=%7B%22A%2FB%20Test%20Homepage%20Promo%20Top%20Slideshow%20v2%22%3A%22false%22%7D; t=default; sid=102wbW9lh4tSv6isV3zcNM6yQ; _gid=GA1.2.1369784775.1576333562; _hp2_ses_props.3356162945=%7B%22r%22%3A%22https%3A%2F%2Fdevforum.okta.ccom%2Ft%2Fcoorelation-failed-at-microsoft-aspnetcore-authentication-remoteauthenticationhandler-1-handlerequestasync%2F7281%22%2C%22ts%22%3A1576333563902%2C%22d%22%3A%22devforum.okta.ccom%22%2C%22h%22%3A%22%2F%22%7D; _vis_opt_s=1%7C; _vis_opt_test_cookie=1; _vwo_ds=3%3Aa_0%2Ct_0%3A0%241576332369%3A44.50538128%3A%3A64_0%2C57_0%2C42_0%2C40_0%2C38_0%2C21_0%2C20_0%2C19_0%2C18_0%3A67_0%2C4_0%2C3_0%3A2620; _vwo_sn=2855%3A2; _hp2_id.3356162945=%7B%22userId%22%3A%224239542713920614%22%2C%22pageviewId%22%3A%220360178900215652%22%2C%22sessionId%22%3A%220788549771136288%22%2C%22identity%22%3Anull%2C%22trackerVersion%22%3A%224.0%22%7D; ADRUM_BTa=“R:28|g:4f438fd8-452c-4367-9392-44fa0ef1f0f1|n:Okta_6d5b1e30-d05a-4894-a37b-81b5f6c60e0e”; ADRUM_BT1=“R:28|i:14031|e:69”; JSESSIONID=1D20CE8304DE63BEA02F3D359986F1FE

Response
HTTP/1.1 302 Found
Date: Sat, 14 Dec 2019 15:02:13 GMT
Content-Length: 0
Connection: keep-alive
Server: nginx
Public-Key-Pins-Report-Only: pin-sha256=“r5EfzZxQVvQpKo3AgYRaT7X2bDO/kj3ACwmxfdT2zt8=”; pin-sha256=“MaqlcUgk2mvY/RFSGeSwBRkI+rZ6/dxe/DuQfBT/vnQ=”; pin-sha256=“72G5IEvDEWn+EThf3qjR7/bQSWaS2ZSLqolhnO6iyJI=”; pin-sha256=“rrV6CLCCvqnk89gWibYT0JO6fNQ8cCit7GGoiVTjCOg=”; max-age=60; report-uri=“https_://okta.report-uri.iio/r/default/hpkp/reportOnly”
X-Okta-Request-Id: XfT5dTIoBx2T5J3njWJrtAAAAfY
X-XSS-Protection: 1; mode=block; report=https_://okta.report-uri.ccom/r/d/xss/enforce
P3P: CP=“HONK”
X-Rate-Limit-Limit: 2000
X-Rate-Limit-Remaining: 1995
X-Rate-Limit-Reset: 1576335740
Content-Security-Policy-Report-Only: default-src ‘self’ *.oktacdn.ccom dev-251753.okta.ccom; connect-src ‘self’ *.oktacdn.ccom *.mixpanel.ccom *.mapbox.ccom app.pendo.iio data.pendo.iio pendo-static-5634101834153984.storage.googleapis.ccom .authenticatorlocalprod.ccom: .authenticatorlocaldev.ccom: dev-251753.okta.ccom dev-251753-admin.okta.ccom https_://oinmanager.okta.ccom; script-src ‘unsafe-inline’ ‘unsafe-eval’ ‘self’ *.oktacdn.ccom; style-src ‘unsafe-inline’ ‘self’ *.oktacdn.ccom app.pendo.iio cdn.pendo.iio pendo-static-5634101834153984.storage.googleapis.ccom; frame-src ‘self’ login.okta.ccom dev-251753.okta.ccom dev-251753-admin.okta.ccom; img-src ‘self’ *.oktacdn.ccom dev-251753.okta.ccom *.mapbox.ccom app.pendo.iio data.pendo.iio cdn.pendo.iio pendo-static-5634101834153984.storage.googleapis.ccom data: blob:; font-src data: ‘self’ *.oktacdn.ccom fonts.gstatic.ccom; report-uri https_://okta.report-uri.ccom/r/d/csp/reportOnly; report-to csp-report
Report-To: {“group”:“csp-report”,“max_age”:31536000,“endpoints”:[{“url”:“https_://okta.report-uri.ccom/r/d/csp/reportOnly”}],“include_subdomains”:true}
Referrer-Policy: no-referrer
Cache-Control: no-cache, no-store
Pragma: no-cache
Expires: 0
Location: https_://localhost:5001/authorization-code/callback#id_token=eyJraWQiOiJYeEk0RjluTjNsQXhmSkN0dWU4b1U5clkzcWo2ZDVhVVk2VHBKNlAzQTZJIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIwMHUyNWNjNG9ja2xoVlZBNzM1NyIsInZlciI6MSwiaXNzIjoiaHR0cHM6Ly9kZXYtMjUxNzUzLm9rdGEuY29tIiwiYXVkIjoiMG9hMjVjZXM3ZXJBaXc4T0ozNTciLCJpYXQiOjE1NzYzMzU3MzMsImV4cCI6MTU3NjMzOTMzMywianRpIjoiSUQuWmxlZXdCUm84aVFZbFVNOUJSSnlldzVRVDBodzFVUDRsbTRQcWpWY0NIZyIsImFtciI6WyJwd2QiXSwiaWRwIjoiMG9hMjVjbml6MGpPVjVTOHUzNTciLCJub25jZSI6ImVmZ2FzIiwiYXV0aF90aW1lIjoxNTc2MzMzNTE4fQ.DkJ_WofR2H6Oc0x7PQsdB4K4gKBzzF6rMcQMLobZddpys04HhAp0d4DczP6ia9RbQIRvICwmFwOXnRMyY1dwLbGV21gf0hIviP9WpmBpPwivonc9D7nnqcGthCDo7pyv5y15dp6NNinvnOk654L8yvmRXdBkCroCNxQvjbb2tTSeG8YygJRT4nszL7w962PMbivFDIJRfBFEicKGcey06-kUbQnA3uPw3QPlKCmmGf1plq59QGYnLd64rNbkHVbj31NvDFUzB24Laa1G06UNkZ6rTLtpl3Ve0YmUmzqUGAI7GJJgIhi2UmfgtpZPQcVt38LNW22z1agN9CJHMcSWWQ&state=abcd
Content-Language: en
Strict-Transport-Security: max-age=315360000
X-Robots-Tag: none
Set-Cookie: ADRUM_BTa=“R:28|g:4f438fd8-452c-4367-9392-44fa0ef1f0f1|n:Okta_6d5b1e30-d05a-4894-a37b-81b5f6c60e0e”; Version=1; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ADRUM_BT1=“R:28|i:14031|e:69”; Version=1; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ADRUM_BTa=“R:28|g:121110be-1346-488b-a987-48bbaf7fac33”; Version=1; Max-Age=30; Expires=Sat, 14-Dec-2019 15:02:43 GMT; Path=/
Set-Cookie: ADRUM_BTa=“R:28|g:121110be-1346-488b-a987-48bbaf7fac33|n:Okta_6d5b1e30-d05a-4894-a37b-81b5f6c60e0e”; Version=1; Max-Age=30; Expires=Sat, 14-Dec-2019 15:02:43 GMT; Path=/
Set-Cookie: ADRUM_BT1=“R:28|i:14031”; Version=1; Max-Age=30; Expires=Sat, 14-Dec-2019 15:02:43 GMT; Path=/
Set-Cookie: ADRUM_BT1=“R:28|i:14031|e:73”; Version=1; Max-Age=30; Expires=Sat, 14-Dec-2019 15:02:43 GMT; Path=/
Set-Cookie: JSESSIONID=F125D23D6DF4B918A28C1D787D19ADCD; Path=/; Secure; HttpOnly
Set-Cookie: t=default; Path=/
Set-Cookie: sid=102wbW9lh4tSv6isV3zcNM6yQ;Version=1;Path=/;Secure;HttpOnly;SameSite=None
Set-Cookie: proximity_9ad182b75b8da731130b050565717a4a=NzNfVLTcGmIlOlH5OFW24qDUOC4tATmg6znnBGOEoi78kz6Bbb7dbw0QIZaCjxT54oDZeKcD1AQxXA4S6gr+snMFtyaxzd55KeaWD8fN8Sm46J48mmJSovMoUpnS3BF2/U0prcQ4Urk5Lsu+cx1StHlyZg39UlELedjJ6zVTkqflN5j+zbFkOmr92voS76jO;Version=1;Path=/;Max-Age=31536000;Secure;Expires=Sun, 13 Dec 2020 15:02:13 GMT;SameSite=None

Hi @andrewliang

Thanks for the follow-up. Regarding the Correlation Failed error, this usually appears if a session token is missing or if a configuration is invalid in the asp.net core application.

One of the possible causes for this error can be found below:

• https://stackoverflow.com/questions/50124498/correlation-failed-at-microsoft-aspnetcore-authentication-remoteauthenticationh
• https://github.com/aspnet/Security/issues/1755

I tried the solutions in those SO and Github posts but they didn’t work for me.

Just a FYI, I’m using Angular with Node as the Front End. Would you know how that affects security? Does it behave much like a proxy?

Thanks

I fixed the issue by following this tutorial: Build a CRUD App with ASP.NET Core and Angular. This tutorial was using the implicit flow while the previous tutorial I was following was using the authorization code which probably didn’t play nicely with Angular.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.