4

I have a .Net Asp.Net WebApplication, I am trying to use Okta for Single Sign On capabilities. I have all my code working and running except when I use Google Chrome 80+ to sign in. When I sign on to Okta and am called back to my application I get the following error. Below are the steps that I have tried so far. This works in all other browsers but is failing most likely due to Chrome 80s SameSite cookie attribute changes.

Server Error in '/' Application.

IDX21323: RequireNonce is '[PII is hidden]'. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'. Note if a 'nonce' is found it will be evaluated. Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details:

Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolInvalidNonceException: IDX21323: RequireNonce is '[PII is hidden]'. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'. Note if a 'nonce' is found it will be evaluated.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[OpenIdConnectProtocolInvalidNonceException: IDX21323: RequireNonce is '[PII is hidden]'. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'. Note if a 'nonce' is found it will be evaluated.]
Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolValidator.ValidateNonce(OpenIdConnectProtocolValidationContext validationContext) +1374
Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolValidator.ValidateAuthenticationResponse(OpenIdConnectProtocolValidationContext validationContext) +219
Microsoft.Owin.Security.OpenIdConnect.d__11.MoveNext() +3770 System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +27

  1. Upgraded .Net version to 4.7.2
  2. Upgraded Nuget packages for Microsoft.Owin to 4.1
  3. Added SameSite configs in startup
  4. Added web.config values
  5. Added CookieManager code

Startup.cs Configure() code

app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);


app.UseCookieAuthentication(new CookieAuthenticationOptions()
{
    CookieSameSite = SameSiteMode.None,
    CookieSecure = CookieSecureOption.Always,
    CookieHttpOnly = true,
    CookieManager = new Code.SameSiteCookieManager(new Microsoft.Owin.Host.SystemWeb.SystemWebCookieManager())
});

app.UseOktaMvc(new OktaMvcOptions()
{
    OktaDomain = ConfigurationManager.AppSettings["okta:OktaDomain"],
    ClientId = ConfigurationManager.AppSettings["okta:ClientId"],
    ClientSecret = ConfigurationManager.AppSettings["okta:ClientSecret"],
    RedirectUri = ConfigurationManager.AppSettings["okta:RedirectUri"],
    PostLogoutRedirectUri = ConfigurationManager.AppSettings["okta:PostLogoutRedirectUri"],
    AuthorizationServerId = string.Empty,
    Scope = new List<string> { "openid", "profile", "email" },
});

Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolValidator dd = new Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolValidator();
dd.RequireNonce = false;


//Init ADM Kit and start logging.
Code.KitHelper.Init();
serhio
  • 28,010
  • 62
  • 221
  • 374
MattyMerrix
  • 10,793
  • 5
  • 22
  • 32
  • I've also been experiencing this issue, came out of the blue as well. I haven't touched the authentication code since it went live 6 months ago. Strangely it only affects me locally, once deployed it works as expected. – Brandonm Sep 01 '20 at 10:01
  • @Brandonm did you upgrade to .Net version to 4.7.2 or did you just have to set the CookieSecure option to Always? – MattyMerrix Sep 01 '20 at 18:23
  • yes I did in fact also migrate to 4.7.2 as well as upgrade the associate OpenIdConnect nuget packages to the latest version supported. All my Cookie Authentication Options are set to their default values. – Brandonm Sep 03 '20 at 07:54

2 Answers2

5

Check if you are experiencing this issue only in Chrome. If so this would be because of the new security implementation launched in version 80.

If enabled, cookies without SameSite restrictions must also be Secure. If a cookie without SameSite restrictions is set without the Secure attribute, it will be rejected. This flag only has an effect if "SameSite by default cookies" is also enabled. – Mac, Windows, Linux, Chrome OS, Android

You can however disable this in chrome://flags but it is now enabled by default

#cookies-without-same-site-must-be-secure

You'll have to restart chrome once you've set this to disabled.This resolved my issues and explains why in production every thing was working as expected but locally I was getting nonce errors.

Brandonm
  • 516
  • 1
  • 6
  • 19
  • Thanks Brandon, I think you are right, I think my issue is the nonce cookie is not being delivered because it is not explicitly set to Secure, and that is why chrome 80 is breaking. I was able to disable the setting you mentioned, previously, it seems to provide a decent work around. I am still looking into this as my dev code is still not working, I think I need to test with https to confirm that this works. – MattyMerrix Sep 01 '20 at 16:36
  • Please do feedback if you find another solution. My local dev is done in HTTP and my production deployments are done in HTTPS. It's not an ideal work around but it allows me to at least continue without disabling Owin Automatic Startup to completely bypass authenticating locally. No issues in production thank goodness – Brandonm Sep 03 '20 at 07:56
  • 1
    We were able to add web.configs to mark the cookies as Secure, this fixed the problem in Chrome 80 without setting the flag #cookies-without-same-site-must-be-secure work-around. Thanks again, great answer! – MattyMerrix Feb 11 '21 at 15:13
  • Google have removed the option to disable this flag in Chrome 94. – to6y Oct 13 '21 at 08:23
0

I would like to add that you could check if there is a configuration in your project or in the environment (like a load balancer) that is making the communication via http and not https.

Related thread: https://github.com/okta/okta-aspnet/issues/131

hawk
  • 116
  • 4