4

To be compatible with Chrome 80- version, We have Implemented Same site Cookies for OWIN application with reference https://learn.microsoft.com/en-us/aspnet/samesite/owin-samesite

We have:

  1. upgrade owin to 4.1
  2. Target .net framework to .net 4.7.2

It works fine In Chrome V 80 Beta. However, when in rigorous mode (.\chrome.exe --enable-features=SameSiteDefaultChecksMethodRigorously). it gives out the following error:

Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolInvalidNonceException: IDX21323: RequireNonce is '[PII is hidden]'. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'. Note if a 'nonce' is found it will be evaluated. at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolValidator.ValidateNonce(OpenIdConnectProtocolValidationContext validationContext) at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolValidator.ValidateAuthenticationResponse(OpenIdConnectProtocolValidationContext validationContext) at Microsoft.Owin.Security.OpenIdConnect.OpenIdConnectAuthenticationHandler.d__9.MoveNext(

Have any body encountered this?

Leszek Mazur
  • 2,443
  • 1
  • 14
  • 28
Dao
  • 41
  • 3

1 Answers1

0

May be It's a late reply on this problem but late is better than never :-)

Chrome has been updated and made changes to mitigate cross site request forgery (CSRF) and gradually these changes will be implemented on all browsers for security reasons. [https://blog.chromium.org/2020/05/resuming-samesite-cookie-changes-in-july.html]

Below fix worked for me.

  1. add below code in webconfig.

<!-- Add "SameSite=None" to any cookie which does NOT have it yet -->
<!-- currently this only works for secure https cookies -->
<rule name="Add SameSite">
<conditions>
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=None" negate="true" />
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
</conditions>
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; SameSite=None" />
</rule>

<!-Add "Secure" to any cookie which does NOT have it yet, as long as it's HTTPS request or else a secure cookie would just be ignored->
<rule name="Add Secure">
<conditions>
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; Secure" negate="true" />
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
</conditions>
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; Secure" />
</rule>

<!--If samesite was set to none by cookieSameSite="None",
remove it for non-https requests (currently only works for https)-->
<rule name="No SameSite For HTTP">
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<match serverVariable="RESPONSE_Set_Cookie" pattern="(.);(\s)SameSite=None" />
<action type="Rewrite" value="{R:1}" />
</rule>
</outboundRules>
</rewrite>
  1. Use [https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/1072]
Dharman
  • 30,962
  • 25
  • 85
  • 135
Harpreet Singh
  • 1
  • Can you please tell me if there is any IIS setup needed for this to work? I've placed the code above inside the `` tag in Web.config, but I get the following error: *HTTP Error 500.19 - Internal Server Error. The requested page cannot be accessed because the related configuration data for the page is invalid*. – dzenesiz May 30 '23 at 09:40