Duende Sofware Backend for Frontend cookie not found on Firefox

Question

I use Duende Software and Backend for Frontend Pattern,

All is well on local with Edge / Chrome / Firefox,

When I deploy my solutions to my server, all is well on Edge / Chrome but for Firefox (111.0 (64 bits)) I have this exception :

System.Exception: An error was encountered while handling the remote login.
 ---> System.Exception: Correlation failed.
   --- End of inner exception stack trace ---
   at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)

In the logs, I see it's because I have no cookie :

.AspNetCore.Correlation.1GVEGnaW7Z81J1EaVhD_zICu3gQNfSktAd9fhpH1tfg' cookie not found.

The cookie seems to disapear on Firefox.

Here my Program.cs code from my client solution (in fact it's based on the sample from Duende Sofware Github Quickstarts JS with backend) :

using System.IdentityModel.Tokens.Jwt;
using System.Security.Claims;
using Duende.Bff.Yarp;
using JavaScriptClient;
using Microsoft.AspNetCore.Authorization;
using Serilog;

var builder = WebApplication.CreateBuilder(args);

JwtSecurityTokenHandler.DefaultMapInboundClaims = false;
builder.Services.AddAuthorization();

builder.Services
    .AddBff()
    .AddRemoteApis();

builder.Services
    .AddAuthentication(options =>
    {
        options.DefaultScheme = "Cookies";
        options.DefaultChallengeScheme = "oidc";
        options.DefaultSignOutScheme = "oidc";
    })
    .AddCookie("Cookies")
    .AddOpenIdConnect("oidc", options =>
    {
        options.Authority = "https://myIdentityProvider.com";
        options.ClientId = "MyCliendId";
        options.ClientSecret = "MySecret";
        options.ResponseType = "code";
        options.ResponseMode = "query";
        options.Scope.Add("MyScope");
    });

var app = builder.Build();
if (app.Environment.IsDevelopment())
{
    app.UseDeveloperExceptionPage();
}

app.UseDefaultFiles();
app.UseStaticFiles();

app.UseRouting();
app.UseAuthentication();

app.UseBff();

app.UseAuthorization();

app.UseEndpoints(endpoints =>
{
    endpoints.MapBffManagementEndpoints();

    // Uncomment this for Controller support
    //endpoints.MapControllers()
    //    .AsBffApiEndpoint();
    //

    endpoints.MapGet("/local/identity", LocalIdentityHandler)
        .AsBffApiEndpoint();

    endpoints.MapRemoteBffApiEndpoint("/remote", "https://localhost:6001")
        .RequireAccessToken(Duende.Bff.TokenType.User);
});

app.Run();

[Authorize] 
static IResult LocalIdentityHandler(ClaimsPrincipal user, HttpContext context)
{
    var name = user.FindFirst("name")?.Value ?? user.FindFirst("sub")?.Value;
    return Results.Json(new { message = "Local API Success!", user = name });
}

Developer Tools Firefox when redirecting to the client

An example of the URL : https://dev-XXXXXX/signin-oidc?code=88DC10688209D96A964BEC3C5C0E935B375F44E6D6311EC6D04ACFF47C4091CC-1&scope=openid%20profile%20MyScope&state=CfDJ8ESufyjmGeFBgfz5grcuHwKuuygHk3CR2e9tfyvMv_nl8txvzjV1JKDobk3vHAQvheQcvM4luZc4h8gEkWjt-w-EsSBn1AE6fXj3JNtUUY2jwTdLIgexUTdqpIOqGHmQGpr5sHrJC4t_86Af2SFDKqy1sqUPj3Z60VWHS4VLsz0T86TfgSChhyDPZND4XPJ-gCq5oPAeLfzUP37He9atgsdUGCYWuPjLSiWCOfthmIPvwWL4JWzFb_kmfnQRO9aZbjWAEA7m6pFDAZedJbIfLaRmEN09Ukjs9H6RkzSbw8_KGQ9rOpOo2A0LRX5ErN517Ktj8y5QTChXHi2ckwZcUqfs8IGjN_txOq3oZyLCg8kXAFRXGdNEfdEksvR9UQbYGbO3xvZKLuDYFgJwXvwF9bs&session_state=R1sXE2TDTqckzL1VNU9SOkPPUP-U2uJf4amKEWQPTQE.A8F7AA6340E886AC794E6C8011425C18&iss=https%3A%2F%2FmyIdentityProvider.com%3A820

EDIT : Actually, my server time was 2 hours behind, so the cookie was already expired, it didn't bother Edge or Chrome but Firefox removed the cookie.

Tore Nestenius · Accepted Answer · 2023-03-24T17:03:08.327

0

You need to use HTTPS, because otherwise important cookies will be blocked du to the samesite attribute that we set on cookies nowadays.

In Firefox, to see why Cookies are rejected:

Open the Browser Developer Tools (F12)
Select the Console tab, and in the console, you should see the reasoning why the cookies were rejected

edited Mar 24 '23 at 17:03

answered Mar 21 '23 at 11:21

Tore Nestenius

16,431
5
30
40

Yes, I fixed but I still have the same problem. – Brak Mar 24 '23 at 16:53
Does my updated answer help? – Tore Nestenius Mar 24 '23 at 17:03
No, there is nothing in the Developer Tools except there is no cookie when I'm redirected to the client. – Brak Mar 24 '23 at 18:57
I added the screen capture in my first post. – Brak Mar 24 '23 at 20:19
Do you run multiple instances of the client application? – Tore Nestenius Mar 25 '23 at 09:20
No, only one instance for the client. – Brak Mar 25 '23 at 12:02
I would use a tool like https://www.getfiddler.com/ to examine the requests and explore when the cookies set are lost. – Tore Nestenius Mar 25 '23 at 12:28
How are you deploying the application? container? in what service? – Tore Nestenius Mar 25 '23 at 12:29
I deploy on IIS, I'm going to check with getfiddler – Brak Mar 25 '23 at 13:23
Great ! with Fiddler I found, the cookie was expired, it didn't bother Edge and Chrome but Firefox removed the cookie, thanks ! – Brak Mar 25 '23 at 18:27
Glad you found the problem! feel free to accept my answer if it helped you. – Tore Nestenius Mar 26 '23 at 08:44

Gary Archer · Answer 2 · 2023-03-21T20:26:20.837

0

Try using the following cookie option:

.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options => {
    options.Cookie.SameSite = SameSiteMode.Strict;
})

There are two interesting points here:

The .NET stack uses SameSite=None cookies by default, whereas the above setting is the most secure option, with best protection against cross site request forgery.
It also provides a more convenient developer experience. Cookie rules behave the same over both HTTP and HTTPS, so developers run into less confusion.

If you are interested, the RFC6265 spec explains more about the same-site behaviours.

edited Mar 21 '23 at 20:26

answered Mar 21 '23 at 19:59

Gary Archer

22,534
2
12
24

Thanks, I tested that but I still have the same problem on Firefox when I deploy on my server. – Brak Mar 24 '23 at 16:54

Duende Sofware Backend for Frontend cookie not found on Firefox

2 Answers2