IDX21323: RequireNonce is ‘True’. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don’t need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to ‘false’. Note if a ‘nonce’ is found it will be evaluated.
I am not able to change OpenIdConnectProtocolValidator.RequireNonce to ‘false’.
Does anyone faced this kind of issue before ? Does current version of Okta.AspNet (v.1.4.0) support SameSite cookie policy change ?
@marcin @jharris
Hi, this seems to be related to the SameSite changes that the latest version of Chrome has introduced.
Please refer the below doc. This will give you some background knowledge
"Chrome has introduced changes that affect the handling of cross-site cookies. Prior to this change cookies were treated as cross-site by default and the SameSite cookie attribute was opt-in. With this change, the new default will be SameSite=Lax , and cookies that need to work cross-site must be explicitly labeled with a new SameSite=None attribute value. Additionally this will require HTTPS (not plaintext HTTP) because browsers will ignore the SameSite=None attribute unless it is accompanied by the Secure attribute. "
Hi @marcin@jharris,
I would like to add this is caused by the new security implementation launched in version 80.
If enabled, cookies without SameSite restrictions must also be Secure. If a cookie without SameSite restrictions is set without the Secure attribute, it will be rejected.
For the cookies to be set with ‘secure’ attribute, you have to make sure the communication is https and not http. I suggest you to check the configuration in your application and environment(proxy, load balancer…) to make sure the protocol is https.
You can however disable (may not be recommended) this in chrome://flags but it is now enabled by default
#cookies-without-same-site-must-be-secure
You’ll have to restart chrome once you’ve set this to disabled.