"Coorelation failed" at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()

I followed the instructions in Add an External Identity Provider

I created an application in Okta and configured Google as my IDP. I created this Authorization Url

https://dev-251753.okta.com/oauth2/v1/authorize?idp=0oa25cniz0jOV5S8u357&client_id=0oa25ces7erAiw8OJ357&response_type=id_token&response_mode=fragment&scope=openid&redirect_uri=https://localhost:5001/authorization-code/callback &state=abcd&nonce=efga

Visiting this url immediately redirects me to https://localhost:5001/authorization-code/callback#id_token=eyJraWQiOiJYeEk… (I truncated the url because value of id_token is quite long). Is this the expected behaviour? Shouldn’t I be redirected to a Google Sign Page where I can authenticate and only after I successfully authenticate, I should be redirected back to https://localhost:5001/authorization-code/callback with some token?

Hi @andrewliang

If you open the browser’s network console, do you see a redirect to Google in the sequence of calls? Also, if you decode the ID token, what is the value from “idp” claim: the IDP ID (eg. 0oa25cniz0jOV5S8u357) or the tenant’s ID (which starts with 00o)?

Sorry for the late reply, this work is outside of my 9-5 job.

To answer your question, I don’t see redirects from Google. However, I do see the following from okta. Far below is the raw HTTP request/response. I’m not too concerned about tokens being exposed to the public, this is for a pet project that’s running locally.

Also, I noticed a typo in the redirect_uri query parameter. Once I fixed, cleared my cookies, I was able to see Google’s IDP login screen. Hurray!

However, after I’m authenticated, I still getting the darn “Coorelation Failed” error

Below is the stacktrace:
at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler1.<HandleRequestAsync>d__12.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter1.GetResult()
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.d__6.MoveNext()
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware.d__7.MoveNext()
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at ProjectXYZ.UI.ProjectXYZExceptionMiddleware.d__3.MoveNext() in H:@ProjectXYZ-2019\ProjectXYZ.UI\ProjectXYZExceptionMiddleware.cs:line 29

Would you know why I’m getting this “Coorelation Failed” error? Thanks


*Note: To get around your maximum 5 link policy, I had to replace “https:” with “https_:”, “.com” with “.ccom” and “.io” with .iio"

HTTP Request
GET https_://dev-251753.okta.ccom/oauth2/v1/authorize?idp=0oa25cniz0jOV5S8u357&client_id=0oa25ces7erAiw8OJ357&response_type=id_token&response_mode=fragment&scope=openid&redirect_uri=https%3A%2F%2Flocalhost%3A5001%2Fauthorization-code%2Fcallback&state=abcd&nonce=efgas HTTP/1.1
Host: dev-251753.okta.ccom
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Sec-Fetch-User: ?1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: navigate
Referer: https_://localhost:5001/deals
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: __cfduid=d3cce8a67ec1d0e63a7698cb86f6c36441575248307; _vwo_uuid_v2=D1E1D375E5AE0C8E8B4F24B0934F6DFDB|17493d25aa4faee6e106c1c0f30b7732; _vwo_uuid=D1E1D375E5AE0C8E8B4F24B0934F6DFDB; _vis_opt_exp_291_combi=1; _okta_original_attribution={%22utm_page%22:%22/%22%2C%22utm_date%22:%2212/01/2019%22}; _gcl_au=1.1.334866357.1575248308; _mkto_trk=id:380-NLU-416&token:_mch-okta.ccom-1575248308008-44603; _ga=GA1.2.2128557931.1575248308; cb_group_id=null; cb_user_id=null; cb_anonymous_id=%22c5e1496b-8577-4ccc-8f6a-3bf0ca298c1e%22; _fbp=fb.1.1575248308510.206948921; _vis_opt_exp_291_goal_2=1; _hly_vid=e0d75b2e-c3e8-41dd-be53-c1f141a82ad9; DT=DI03iQRbo3kTO2cUikow83Sww; proximity_9ad182b75b8da731130b050565717a4a=NzNfVLTcGmIlOlH5OFW24qDUOC4tATmg6znnBGOEoi78kz6Bbb7dbw0QIZaCjxT54oDZeKcD1AQxXA4S6gr+snMFtyaxzd55KeaWD8fN8Sm46J48mmJSovMoUpnS3BF2/U0prcQ4Urk5Lsu+cx1StHlyZg39UlELedjJ6zVTkqflN5j+zbFkOmr92voS76jO; mp_f46f8e1c3b1b293b7bea7dfd682939a6_mixpanel=%7B%22distinct_id%22%3A%20%2216ee11b2007293-0bf5c143b434b6-2393f61-4b9600-16ee11b2008aca%22%2C%22%24device_id%22%3A%20%2216ee11b2007293-0bf5c143b434b6-2393f61-4b9600-16ee11b2008aca%22%2C%22%24initial_referrer%22%3A%20%22https%3A%2F%2Fdev-251753.okta.ccom%2Fuser%2Fnotifications%22%2C%22%24initial_referring_domain%22%3A%20%22dev-251753.okta.ccom%22%2C%22env%22%3A%20%22PROD%22%7D; _pendo_accountId.f8bd2822-002a-478f-66a9-0178efd7ee1f=00o25cc4kyN8VDGQI357; _pendo_visitorId.f8bd2822-002a-478f-66a9-0178efd7ee1f=00u25cc4ocklhVVA7357; _hp2_props.3356162945=%7B%22A%2FB%20Test%20Homepage%20Promo%20Top%20Slideshow%20v2%22%3A%22false%22%7D; t=default; sid=102wbW9lh4tSv6isV3zcNM6yQ; _gid=GA1.2.1369784775.1576333562; _hp2_ses_props.3356162945=%7B%22r%22%3A%22https%3A%2F%2Fdevforum.okta.ccom%2Ft%2Fcoorelation-failed-at-microsoft-aspnetcore-authentication-remoteauthenticationhandler-1-handlerequestasync%2F7281%22%2C%22ts%22%3A1576333563902%2C%22d%22%3A%22devforum.okta.ccom%22%2C%22h%22%3A%22%2F%22%7D; _vis_opt_s=1%7C; _vis_opt_test_cookie=1; _vwo_ds=3%3Aa_0%2Ct_0%3A0%241576332369%3A44.50538128%3A%3A64_0%2C57_0%2C42_0%2C40_0%2C38_0%2C21_0%2C20_0%2C19_0%2C18_0%3A67_0%2C4_0%2C3_0%3A2620; _vwo_sn=2855%3A2; _hp2_id.3356162945=%7B%22userId%22%3A%224239542713920614%22%2C%22pageviewId%22%3A%220360178900215652%22%2C%22sessionId%22%3A%220788549771136288%22%2C%22identity%22%3Anull%2C%22trackerVersion%22%3A%224.0%22%7D; ADRUM_BTa=“R:28|g:4f438fd8-452c-4367-9392-44fa0ef1f0f1|n:Okta_6d5b1e30-d05a-4894-a37b-81b5f6c60e0e”; ADRUM_BT1=“R:28|i:14031|e:69”; JSESSIONID=1D20CE8304DE63BEA02F3D359986F1FE

Response
HTTP/1.1 302 Found
Date: Sat, 14 Dec 2019 15:02:13 GMT
Content-Length: 0
Connection: keep-alive
Server: nginx
Public-Key-Pins-Report-Only: pin-sha256=“r5EfzZxQVvQpKo3AgYRaT7X2bDO/kj3ACwmxfdT2zt8=”; pin-sha256=“MaqlcUgk2mvY/RFSGeSwBRkI+rZ6/dxe/DuQfBT/vnQ=”; pin-sha256=“72G5IEvDEWn+EThf3qjR7/bQSWaS2ZSLqolhnO6iyJI=”; pin-sha256=“rrV6CLCCvqnk89gWibYT0JO6fNQ8cCit7GGoiVTjCOg=”; max-age=60; report-uri=“https_://okta.report-uri.iio/r/default/hpkp/reportOnly”
X-Okta-Request-Id: XfT5dTIoBx2T5J3njWJrtAAAAfY
X-XSS-Protection: 1; mode=block; report=https_://okta.report-uri.ccom/r/d/xss/enforce
P3P: CP=“HONK”
X-Rate-Limit-Limit: 2000
X-Rate-Limit-Remaining: 1995
X-Rate-Limit-Reset: 1576335740
Content-Security-Policy-Report-Only: default-src ‘self’ *.oktacdn.ccom dev-251753.okta.ccom; connect-src ‘self’ *.oktacdn.ccom *.mixpanel.ccom *.mapbox.ccom app.pendo.iio data.pendo.iio pendo-static-5634101834153984.storage.googleapis.ccom .authenticatorlocalprod.ccom: .authenticatorlocaldev.ccom: dev-251753.okta.ccom dev-251753-admin.okta.ccom https_://oinmanager.okta.ccom; script-src ‘unsafe-inline’ ‘unsafe-eval’ ‘self’ *.oktacdn.ccom; style-src ‘unsafe-inline’ ‘self’ *.oktacdn.ccom app.pendo.iio cdn.pendo.iio pendo-static-5634101834153984.storage.googleapis.ccom; frame-src ‘self’ login.okta.ccom dev-251753.okta.ccom dev-251753-admin.okta.ccom; img-src ‘self’ *.oktacdn.ccom dev-251753.okta.ccom *.mapbox.ccom app.pendo.iio data.pendo.iio cdn.pendo.iio pendo-static-5634101834153984.storage.googleapis.ccom data: blob:; font-src data: ‘self’ *.oktacdn.ccom fonts.gstatic.ccom; report-uri https_://okta.report-uri.ccom/r/d/csp/reportOnly; report-to csp-report
Report-To: {“group”:“csp-report”,“max_age”:31536000,“endpoints”:[{“url”:“https_://okta.report-uri.ccom/r/d/csp/reportOnly”}],“include_subdomains”:true}
Referrer-Policy: no-referrer
Cache-Control: no-cache, no-store
Pragma: no-cache
Expires: 0
Location: https_://localhost:5001/authorization-code/callback#id_token=eyJraWQiOiJYeEk0RjluTjNsQXhmSkN0dWU4b1U5clkzcWo2ZDVhVVk2VHBKNlAzQTZJIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIwMHUyNWNjNG9ja2xoVlZBNzM1NyIsInZlciI6MSwiaXNzIjoiaHR0cHM6Ly9kZXYtMjUxNzUzLm9rdGEuY29tIiwiYXVkIjoiMG9hMjVjZXM3ZXJBaXc4T0ozNTciLCJpYXQiOjE1NzYzMzU3MzMsImV4cCI6MTU3NjMzOTMzMywianRpIjoiSUQuWmxlZXdCUm84aVFZbFVNOUJSSnlldzVRVDBodzFVUDRsbTRQcWpWY0NIZyIsImFtciI6WyJwd2QiXSwiaWRwIjoiMG9hMjVjbml6MGpPVjVTOHUzNTciLCJub25jZSI6ImVmZ2FzIiwiYXV0aF90aW1lIjoxNTc2MzMzNTE4fQ.DkJ_WofR2H6Oc0x7PQsdB4K4gKBzzF6rMcQMLobZddpys04HhAp0d4DczP6ia9RbQIRvICwmFwOXnRMyY1dwLbGV21gf0hIviP9WpmBpPwivonc9D7nnqcGthCDo7pyv5y15dp6NNinvnOk654L8yvmRXdBkCroCNxQvjbb2tTSeG8YygJRT4nszL7w962PMbivFDIJRfBFEicKGcey06-kUbQnA3uPw3QPlKCmmGf1plq59QGYnLd64rNbkHVbj31NvDFUzB24Laa1G06UNkZ6rTLtpl3Ve0YmUmzqUGAI7GJJgIhi2UmfgtpZPQcVt38LNW22z1agN9CJHMcSWWQ&state=abcd
Content-Language: en
Strict-Transport-Security: max-age=315360000
X-Robots-Tag: none
Set-Cookie: ADRUM_BTa=“R:28|g:4f438fd8-452c-4367-9392-44fa0ef1f0f1|n:Okta_6d5b1e30-d05a-4894-a37b-81b5f6c60e0e”; Version=1; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ADRUM_BT1=“R:28|i:14031|e:69”; Version=1; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ADRUM_BTa=“R:28|g:121110be-1346-488b-a987-48bbaf7fac33”; Version=1; Max-Age=30; Expires=Sat, 14-Dec-2019 15:02:43 GMT; Path=/
Set-Cookie: ADRUM_BTa=“R:28|g:121110be-1346-488b-a987-48bbaf7fac33|n:Okta_6d5b1e30-d05a-4894-a37b-81b5f6c60e0e”; Version=1; Max-Age=30; Expires=Sat, 14-Dec-2019 15:02:43 GMT; Path=/
Set-Cookie: ADRUM_BT1=“R:28|i:14031”; Version=1; Max-Age=30; Expires=Sat, 14-Dec-2019 15:02:43 GMT; Path=/
Set-Cookie: ADRUM_BT1=“R:28|i:14031|e:73”; Version=1; Max-Age=30; Expires=Sat, 14-Dec-2019 15:02:43 GMT; Path=/
Set-Cookie: JSESSIONID=F125D23D6DF4B918A28C1D787D19ADCD; Path=/; Secure; HttpOnly
Set-Cookie: t=default; Path=/
Set-Cookie: sid=102wbW9lh4tSv6isV3zcNM6yQ;Version=1;Path=/;Secure;HttpOnly;SameSite=None
Set-Cookie: proximity_9ad182b75b8da731130b050565717a4a=NzNfVLTcGmIlOlH5OFW24qDUOC4tATmg6znnBGOEoi78kz6Bbb7dbw0QIZaCjxT54oDZeKcD1AQxXA4S6gr+snMFtyaxzd55KeaWD8fN8Sm46J48mmJSovMoUpnS3BF2/U0prcQ4Urk5Lsu+cx1StHlyZg39UlELedjJ6zVTkqflN5j+zbFkOmr92voS76jO;Version=1;Path=/;Max-Age=31536000;Secure;Expires=Sun, 13 Dec 2020 15:02:13 GMT;SameSite=None

Hi @andrewliang

Thanks for the follow-up. Regarding the Correlation Failed error, this usually appears if a session token is missing or if a configuration is invalid in the asp.net core application.

One of the possible causes for this error can be found below:

I tried the solutions in those SO and Github posts but they didn’t work for me.

Just a FYI, I’m using Angular with Node as the Front End. Would you know how that affects security? Does it behave much like a proxy?

Thanks

I fixed the issue by following this tutorial: Build a CRUD App with ASP.NET Core and Angular. This tutorial was using the implicit flow while the previous tutorial I was following was using the authorization code which probably didn’t play nicely with Angular.