Nonce Error in Chrome, despite Secure & Samesite None

We are trying to implement an Okta system for our site. After setting things up, we were able to get it to work when run on localhost in VS, and it works in Firefox when deployed to one of our environments. But that environment is failing when run in Chrome when it reaches PostLogin with the following exception:

Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolInvalidNonceException: IDX21323: RequireNonce is ‘[PII of type ‘System.Boolean’ is hidden. For more details, see Bing]’. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don’t need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to ‘false’. Note if a ‘nonce’ is found it will be evaluated.
at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolValidator.ValidateNonce(OpenIdConnectProtocolValidationContext validationContext)
at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolValidator.ValidateTokenResponse(OpenIdConnectProtocolValidationContext validationContext)
at Microsoft.Owin.Security.OpenIdConnect.OpenIdConnectAuthenticationHandler.d__11.MoveNext()

We have ensured our cookies set samesite as none and secure as true, and the nonce cookie is showing such when we look at the cookies during operation, but Chrome is still getting that error. We have also tried setting options.ProtocolValidator.RequireNonce = false; but that gets an identical error message.

Please ensure that there is no URL mismatch, for example, the request beginning from a URL without WWW and the callback redirection going to a URL with WWW. I have found that this simple mismatch can cause the error you are receiving, and it can be resolved with an IIS URL Rewrite rule. Please let me know if this makes sense and if you have any questions.

1 Like

The url starts as https://ourSiteUrl/ to https://ourSiteUrl/Account/PostLogin, cannot see any deviation aside from the path for the postlogin. Both lack www in this instance, and spelling is identical between the two, so they are being consistent.