Okta.AspNet SameSite issue

marcin · January 23, 2020, 11:15am

Hello I am trying to prepare our application for upcoming Chrome 80 update which will bring changes in SameSite cookie attribute policy (https://blog.chromium.org/2019/10/developers-get-ready-for-new.html )

I am working with ASP.NET MVC solution with Okta.AspNet nuget packge.
I did everything exactly as it is described in this article ( https://github.com/okta/okta-aspnet/blob/master/docs/aspnet4x-mvc.md )

This works fine with those flags set to false in firefox

network.cookie.sameSite.laxByDefault false
network.cookie.sameSite.noneRequiresSecure false

Problems occurs when i try to set them to true

network.cookie.sameSite.laxByDefault true
network.cookie.sameSite.noneRequiresSecure true

Then I am receiving this error.

IDX21323: RequireNonce is ‘True’. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don’t need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to ‘false’. Note if a ‘nonce’ is found it will be evaluated.

I am not able to change OpenIdConnectProtocolValidator.RequireNonce to ‘false’.

Does anyone faced this kind of issue before ? Does current version of Okta.AspNet (v.1.4.0) support SameSite cookie policy change ?

jharris · October 15, 2020, 5:03pm

I am also experiencing this exact issue. Is there a solution?

Lijia · October 21, 2020, 6:28pm

@marcin
@jharris
Hi, this seems to be related to the SameSite changes that the latest version of Chrome has introduced.

Please refer the below doc. This will give you some background knowledge

"Chrome has introduced changes that affect the handling of cross-site cookies. Prior to this change cookies were treated as cross-site by default and the SameSite cookie attribute was opt-in. With this change, the new default will be SameSite=Lax , and cookies that need to work cross-site must be explicitly labeled with a new SameSite=None attribute value. Additionally this will require HTTPS (not plaintext HTTP) because browsers will ignore the SameSite=None attribute unless it is accompanied by the Secure attribute. "

You can refer the workarounds suggested by MS that should be done at the application level: https://devblogs.microsoft.com/aspnet/upcoming-samesite-cookie-changes-in-asp-net-and-asp-net-core/

If you still have any other questions, I suggest you look into this GH issue and post your questions.

Thanks

gpadma · November 6, 2020, 7:57am

Hi @marcin @jharris,
I would like to add this is caused by the new security implementation launched in version 80.

If enabled, cookies without SameSite restrictions must also be Secure. If a cookie without SameSite restrictions is set without the Secure attribute, it will be rejected.

For the cookies to be set with ‘secure’ attribute, you have to make sure the communication is https and not http. I suggest you to check the configuration in your application and environment(proxy, load balancer…) to make sure the protocol is https.

You can however disable (may not be recommended) this in chrome://flags but it is now enabled by default

#cookies-without-same-site-must-be-secure

You’ll have to restart chrome once you’ve set this to disabled.