How to set SameSite value to None or Undefined for OWIN OpenIdConnect.Nonce cookie on .NET 4.7.2

Question

I'm running an ASP.NET MVC (4.7.2) web application. I authenticate externally with an Identity Server 4 instance with the Hybrid flow.

When testing the new "missing SameSite defaults to LAX" feature of Firefox, he doesn't sent the LAX OpenIdConnect.Nonce cookie back to my MVC web application:

Image 1: all cookies have Lax

Image 2: No cookies provided at POST to signin-oidc

I get the error:

OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'. Note if a 'nonce' is found it will be evaluated.

I tried a few things to enfore all cookies to have at least a None or Unspecified setting, but this OpenIdConnect.Nonce cookie keeps sticking at LAX.

app.UseKentorOwinCookieSaver();

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationType = "Cookies",
    CookieSameSite = SameSiteMode.None,
    CookieManager = new SameSiteCookieManager(new SystemWebCookieManager())
});

app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
    Authority = configDetails.IdentityProviderUrl,
    AuthenticationType = "Cookies",
    ClientId = configDetails.ClientId,
    Scope = configDetails.Scope,
    ResponseType = "id_token code",
    RedirectUri = !string.IsNullOrWhiteSpace(configDetails.RedirectUri) ? configDetails.RedirectUri : "~/",
    SignInAsAuthenticationType = "Cookies",
    UseTokenLifetime = false,
    Notifications = new OpenIdConnectAuthenticationNotifications
    {
        AuthorizationCodeReceived = AuthorizationCodeReceived,
        RedirectToIdentityProvider = n =>
        {
            if (n.ProtocolMessage.RequestType != Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectRequestType.Logout) return Task.FromResult(0);

            var idTokenHint = n.OwinContext.Authentication.User.FindFirst("id_token");
            if (idTokenHint != null)
            {
                n.ProtocolMessage.IdTokenHint = idTokenHint.Value;
            }
            return Task.FromResult(0);
        }
    },
    CookieManager = new SameSiteCookieManager(new SystemWebCookieManager()),
});

In my web.config I've added:

<system.web>
  <httpCookies sameSite="None" requireSSL="true" />
</system.web>

I'm using the SameSiteCookieManager from Microsoft MSDN.

I hope someone can help me setting this OpenIdConnect.Nonce cookie to None or Unspecified.

Many thanks in advance!

Answer 1

I have solved the SameSite issue by attaching to RedirectToIdentityProvider and manually setting it from there. Something like this:

RedirectToIdentityProvider = async n =>
{
    if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.Authentication)
    {
        var nonceKey = HttpContext.Current.Response.Cookies.AllKeys.Where(x => x.Contains("nonce")).FirstOrDefault();
        if (nonceKey != null)
        {
            var nonce = HttpContext.Current.Response.Cookies.Get(nonceKey);
            nonce.SameSite = SameSiteMode.None
        }
    }

Answer 2

I have the same setup as you with IdSvr4 and asp.net 4.7.2 for the sameSite cookie changes. Mine seems to be working now. I used that cookie manager which seemed to do the trick. I didn't do the system.web httpCookie element though. See here to see if my post on this helps.

SO post on framework 4.7.2 and sameSite