Correlation failed in net.core / asp.net identity / openid connect

Question

I getting this error when a Azure AD user login (I able to get the user´s claims after), im using a combination of OpenIdConnect, with asp.net Identity core over net.core 2.0

An unhandled exception occurred while processing the request. Exception: Correlation failed. Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler+d__12.MoveNext()

The trace:

Exception: Correlation failed. Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler+d__12.MoveNext() System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) System.Runtime.CompilerServices.TaskAwaiter.GetResult() Microsoft.AspNetCore.Authentication.AuthenticationMiddleware+d__6.MoveNext() System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware+d__7.MoveNext()

Correlation Failed

Here is my Startup.cs:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
using BPT.PC.IdentityServer.Data;
using BPT.PC.IdentityServer.IdentityStore;
using BPT.PC.IdentityServer.Models;
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Authentication.OpenIdConnect;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.Identity;
using Microsoft.EntityFrameworkCore;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;

namespace BPT.PC.IdentityServer.Web
{
    public class Startup
    {
        public Startup(IConfiguration configuration)
        {
            Configuration = configuration;
        }

        public IConfiguration Configuration { get; }

        // This method gets called by the runtime. Use this method to add services to the container.
        public void ConfigureServices(IServiceCollection services)
        {
            services.AddIdentity<User, Role>()
                .AddUserStore<UserStore>()
                .AddRoleStore<RoleStore>()
                .AddDefaultTokenProviders();

            services.AddMemoryCache();
            services.AddDistributedMemoryCache();
            services.AddDbContext<IdentityServerDb>(options => options.UseSqlServer(Configuration.GetConnectionString("IdentityServerDb")));

            services.AddMvc();
            services.AddAuthentication(auth =>
            {
                auth.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                auth.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                auth.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            })
            .AddCookie()
            .AddOpenIdConnect("AzureAD", opts =>
            {
                Configuration.GetSection("OpenIdConnect").Bind(opts);
                opts.RemoteAuthenticationTimeout = TimeSpan.FromSeconds(120);
                opts.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;

                opts.CorrelationCookie = new Microsoft.AspNetCore.Http.CookieBuilder
                {
                    HttpOnly = false,
                    SameSite = Microsoft.AspNetCore.Http.SameSiteMode.None,
                    SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.None,
                    Expiration = TimeSpan.FromMinutes(10)
                };

                opts.Events = new OpenIdConnectEvents()
                {
                    OnRedirectToIdentityProvider = OnRedirectToIdentityProvider,
                    OnRemoteFailure = OnRemoteFailure,
                    OnAuthorizationCodeReceived = OnAuthorizationCodeReceived
                };
                //opts.Events = new OpenIdConnectEvents
                //{
                //    OnAuthorizationCodeReceived = ctx =>
                //    {
                //        return Task.CompletedTask;
                //    }
                //};
            });

            //services.ConfigureApplicationCookie(options =>
            //{
            //    // Cookie settings
            //    options.Cookie.HttpOnly = true;
            //    options.ExpireTimeSpan = TimeSpan.FromMinutes(30);
            //    options.SlidingExpiration = true;
            //});
        }

        private Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedContext arg)
        {
            return Task.FromResult(0);
        }

        private Task OnRemoteFailure(RemoteFailureContext arg)
        {
            return Task.FromResult(0);
        }

        private Task OnRedirectToIdentityProvider(RedirectContext arg)
        {
            return Task.FromResult(0);
        }

        // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
        public void Configure(IApplicationBuilder app, IHostingEnvironment env)
        {
            if (env.IsDevelopment())
            {
                app.UseBrowserLink();
                app.UseDeveloperExceptionPage();
            }
            else
            {
                app.UseExceptionHandler("/Home/Error");
            }

            app.UseStaticFiles();
            app.UseAuthentication();

            app.UseMvc(routes =>
            {
                routes.MapRoute(
                    name: "default",
                    template: "{controller=Account}/{action=Login}/{id?}");
            });
        }
    }
}

My appsettings.json:

{
  "Logging": {
    "IncludeScopes": false,
    "LogLevel": {
      "Default": "Warning"
    }
  },

  "ConnectionStrings": {
    "IdentityServerDb": "Server=localhost;Database=IdentityServer;Trusted_Connection=True;MultipleActiveResultSets=true"
  },

  "OpenIdConnect": {
    "ClientId": "xxxxx",
    "Authority": "https://login.microsoftonline.com/xxxxx/",
    "PostLogoutRedirectUri": "/Account/SignoutOidc",
    "CallbackPath": "/Account/SigninOidc",
    "UseTokenLifetime": true,
    "RequireHttpsMetadata": false,
    //"ResponseType": "code id_token",
    "ClientSecret": "xxx",
    "Resource": "https://graph.microsoft.com/"
  }
}

And the implementation:

[HttpGet]
public IActionResult CorpLogin()
{
  var authProperties = _signInManager
                .ConfigureExternalAuthenticationProperties("AzureAD",
     Url.Action("SigninOidc", "Account", null, Request.Scheme));

   return Challenge(authProperties, "AzureAD");
}

[HttpPost]
public IActionResult SigninOidc([FromForm]object data)
{
//this never runs
   return Ok();
}

Maybe, but I could fixed the problem excluding asp.net identiy, do you know if there is any known issue at that? — Augusto Sanchez, May 11 '18 at 16:04
The error description is very unhelpful to people unfamiliar with OIDC internals: I want to know exactly what "correlation failed" means - what X is trying to correlate what Y with what Z? — Dai, Nov 28 '18 at 03:14
@Wayne in my case there is a proxy, any hint how to make that work even with proxy in place? — Samuel, May 26 '19 at 01:54
The problem I had was that `RemoteAuthenticationTimeout` was set to just 30 seconds. When external authentication occasionally took longer you would get a correlation error. I extended it to the default of 15 minutes. — Wouter, Sep 02 '22 at 12:00

score 75 · Answer 1 · answered Aug 02 '20 at 01:22

75

If you're using Chrome against localhost, you may have run into a change in Chrome cookie-handling behaviour.

To verify, navigate to chrome://flags/ and change "Cookies without SameSite must be secure" to "Disabled".

If that change fixes the issue, and you want to fix it permanently (i.e. not rely on the chrome flags fix), this thinktecture post talks about the underlying issue and some fixes that you'll need for old iOS safari versions.

answered Aug 02 '20 at 01:22

dbruning

5,042
5
34
35

Thanks, this combined with Riyaz's answer solved it for me: I switched to a secure local endpoint, and Chrome properly forwarded the cookies. – joe Sep 19 '20 at 20:27
You rule, man, many thanks. Was fighting that one for a couple of hours until I found your answer! – Charles d'Avernas Nov 19 '20 at 10:55
1

Can you provide the solution from thinktecture? I think this is somewhat of a link-only answer. – Jess Feb 09 '21 at 20:02
For me, "Enable removing SameSite=None cookies" Enabled fixed my problem – Ibrahim ULUDAG Oct 22 '21 at 12:21
Perfect answer for anyone using Chrome and localhost while developing! You, sir, are a friggin' evil GENIUS :-) – joedotnot Feb 24 '23 at 05:32

score 37 · Answer 2 · answered Nov 17 '20 at 11:14

37

I was hitting this issue when using login with Google using .net Identity in Blazor on chrome. I had a new requirement to get it to work without https, it had been working fine with https.

I read in multiple answers variants of changing to

app.UseCookiePolicy(new CookiePolicyOptions()
{
    MinimumSameSitePolicy = SameSiteMode.None
});

I wish I'd read @dbruning's answer's article sooner. It mentioned in the article which isn't mentioned anywhere else: Please note: The setting SameSite=None will only work if the cookie is also marked as Secure and requires a HTTPS connection. The method's intellisense summary doesn't mention this which I think it definitely should...

So after that I just tried using SameSiteMode.Lax instead and it worked for me again. No other changes required from the default blazor project startup.cs

app.UseCookiePolicy(new CookiePolicyOptions()
{
    MinimumSameSitePolicy = SameSiteMode.Lax
});

answered Nov 17 '20 at 11:14

James

4,146
1
20
35

2

This fixed it for me. Because I'm not exposing my identity server (keycloak) to the outside world, I don't want to set up HTTPS for nothing. Thanks @James! – Timo Hermans Nov 23 '20 at 19:14
Where exactly in your middleware pipeline did you put this? I'm asking since the order of middleware registration is important. – Pieterjan Jul 21 '21 at 12:54
My configure method looks like this: app.UseHsts(); app.UseStaticFiles(); app.UseRouting(); app.UseCookiePolicy(new CookiePolicyOptions() { MinimumSameSitePolicy = SameSiteMode.Lax }); app.UseAuthentication(); app.UseAuthorization(); app.UseEndpoints(....) – James Jul 21 '21 at 16:48
not quite the answer I needed, but got me to realize that I wasn't using HTTPS – Angelo Bernardi Dec 13 '21 at 00:52
This worked for me in Configure(), but not at first because I originally had this option set up in ConfigureServices like services.Configure(options => { options.MinimumSameSitePolicy = SameSiteMode.None; }); which was not working when testing dev with localhost. – mfsumption Mar 17 '22 at 04:42

score 26 · Answer 3 · answered Jun 30 '21 at 10:35

I was having a very similar issue and none of the answers posted in this whole thread worked for me. I will describe how I reached the solution, in case it can help anybody else.

In my case, I have a web app with ASP.NET Core 3.1 (migrated from 1.x) and implemented authentication with the following snippet in the ConfigureServices method, from Startup.cs (as described here):

services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd"));

The error thrown, as can be seen here, had a much simpler stack trace that the one described on this thread.

In the end, the problem was that cookies were not being set as secure. To do so, I just added the following code snippet right before the services.AddAuthentication pasted above.

services.Configure<CookiePolicyOptions>(options =>
{
    options.Secure = CookieSecurePolicy.Always;
});

Furthermore, I added a call to app.UseCookiePolicy() right before the call to app.UseRouting() in the Configure() method in Startup.cs.

This! This answer right here! I spent couple hours trying to fix this Correlation failed problem and nothing worked. But this solution, with pretty nice and straightforward step-by-step guide solved it for me. Thank you! — Bukk94, Jan 11 '22 at 19:22
SWEET JESUS, HALELUJAH! You should get a Nobel prize for world peace. — Ondrej Valenta, Sep 19 '22 at 01:42

score 20 · Accepted Answer · answered May 15 '18 at 18:13

I've finally found the solution, I´ll post here just in case somebody have a similar problem.

Looks like the principal problem was that my redirect URI was the same that the CallBackPath:

"CallbackPath": "/Account/SigninOidc"

var authProperties = _signInManager .ConfigureExternalAuthenticationProperties("AzureAD", Url.Action("SigninOidc", "Account", null, Request.Scheme));

Well, here is my corrected Startup.cs:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
using BPT.PC.IdentityServer.Data;
using BPT.PC.IdentityServer.IdentityStore;
using BPT.PC.IdentityServer.Models;
using BPT.PC.IdentityServer.Web.Models;
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Authentication.OpenIdConnect;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Identity;
using Microsoft.EntityFrameworkCore;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.IdentityModel.Protocols.OpenIdConnect;

namespace BPT.PC.IdentityServer.Web
{
    public class Startup
    {
        public Startup(IConfiguration configuration)
        {
            Configuration = configuration;
        }

        public IConfiguration Configuration { get; }

        // This method gets called by the runtime. Use this method to add services to the container.
        public void ConfigureServices(IServiceCollection services)
        {
            services.AddIdentity<User, Role>()
                .AddUserStore<UserStore>()
                .AddRoleStore<RoleStore>()
                .AddDefaultTokenProviders();

            services.AddMemoryCache();
            services.AddDistributedMemoryCache();
            services.AddDbContext<IdentityServerDb>
                (options => options.UseSqlServer(Configuration.GetConnectionString("IdentityServerDb")));

            services
                .AddMvc();
            services
                .AddAuthentication(auth =>
                {
                    auth.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                    auth.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                    auth.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                })
                .AddCookie()
                .AddOpenIdConnect("AzureAD", "AzureAD", options =>
                {
                    Configuration.GetSection("AzureAD").Bind(options); ;
                    options.ResponseType = OpenIdConnectResponseType.CodeIdToken;
                    options.RemoteAuthenticationTimeout = TimeSpan.FromSeconds(120);
                    options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                    options.RequireHttpsMetadata = false;
                    options.SaveTokens = true;
                });

            services.AddSingleton(Configuration.GetSection("OpenIdConnectProviderConfiguration").Get<OpenIdConnectProviderConfiguration>());

        }
        // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
        public void Configure(IApplicationBuilder app, IHostingEnvironment env)
        {
            if (env.IsDevelopment())
            {
                app.UseBrowserLink();
                app.UseDeveloperExceptionPage();
            }
            else
            {
                app.UseExceptionHandler("/Home/Error");
            }

            app.UseStaticFiles();
            app.UseAuthentication();

            app.UseMvc(routes =>
            {
                routes.MapRoute(
                    name: "default",
                    template: "{controller=Account}/{action=Login}/{id?}");
            });
        }
    }
}

And the finally implementation:

[HttpGet]
public IActionResult CorpLogin()
    {
        var authProperties = _signInManager
            .ConfigureExternalAuthenticationProperties("AzureAD",
            Url.Action("LoggingIn", "Account", null, Request.Scheme));

        return Challenge(authProperties, "AzureAD");
    }

The appsettings.json is the same.

Tim.Tang · Answer 5 · 2020-03-25T23:36:18.137

7

Just FYI: I met same issue which cost me almost 1 day to investigate on this issue. finally I found that after remove below code from my startup.cs and everything is working: CookiePolicyOptions cookiePolicy = new CookiePolicyOptions() { Secure = CookieSecurePolicy.Always, };

I am following up this with Microsoft support team, will update this back if get got any response.

edited Mar 25 '20 at 23:36

answered Mar 24 '20 at 08:04

Tim.Tang

3,158
1
15
18

9

So did you get a response from MS? – hbulens Sep 02 '20 at 13:27

score 6 · Answer 6 · answered Mar 12 '19 at 13:35

The problem for me was that the clock on my machine (I am using a virtual machine) was not set to the correct time. It was behind by a few days because I had paused the VM after last using it.

So the solution was to simply adjust the clock to be the correct time.

score 4 · Answer 7 · answered Nov 07 '19 at 14:17

This Happens when you try to access the URL which is assigned as 'Callback Path' in your OIDC settings.

To resolve this change your Callback Path to something like, 'MyController/MyAction' which will redirect you to your specific URL , in your case '/Account/SigninOidc'.

score 4 · Answer 8 · answered Sep 03 '20 at 22:19

In my case, I had to go to Visual Studio menus,

Project=> Application Properties => Debug tab = Enable SSL true

And in the actual OAuth configuration in FB Developer's account, set use https. This has resolved. There may be different complicated problems for others. In my case this has sorted it.

score 3 · Answer 9 · answered Jul 08 '20 at 21:28

Thanks to Tim.Tang's answer, I figured out what caused the error on my end on Core 2.2. It was similar except that the error appeared when I removed the code for cookie policy in Startup.cs > ConfigureServices method:

services.Configure<CookiePolicyOptions>(options =>
{
    // This lambda determines whether user consent for non-essential cookies is needed for a given request.
    options.CheckConsentNeeded = context => true;
    options.MinimumSameSitePolicy = SameSiteMode.None;
});

This was because I forgot to also remove app.UseCookiePolicy(); code in the Configure method.

score 3 · Answer 10 · answered Feb 17 '22 at 12:59

3

using this at top of my Configure method Solved My Issue

app.UseCookiePolicy(new CookiePolicyOptions()
    {
        MinimumSameSitePolicy = SameSiteMode.Lax
    });

answered Feb 17 '22 at 12:59

Khashayar Nourian

43
1
4

score 1 · Answer 11 · answered Apr 08 '21 at 01:28

1

Put this at the top of Startup.Configure(), before other middleware Uses:

app.UseCookiePolicy(new CookiePolicyOptions
{
    MinimumSameSitePolicy = SameSiteMode.Strict
});

Tested using IdentityServer 4.1.2, .NET Core 5

answered Apr 08 '21 at 01:28

Michael Ribbons

1,753
1
16
26

remondo · Answer 12 · 2022-12-05T04:59:10.787

For my case, I am getting this error when hosting the webapp inside Kubernetes with Nginx-Ingress as reverse proxy.

I noticed that the cookie is being stored in the browser, but with an incorrect path. The path is "/signin-oidc", instead of "/X/Y/signin-oidc", that's why the browser did not send the cookie to the webapp server when navigating to "/X/Y/signin-oidc".

The fix for me was to set the Cookie Path of the NonceCookie and CorrelationCookie to "/X/Y/signin-oidc"

builder.AddOpenIdConnect("oidc", options =>
{
    ...
    options.NonceCookie.Path = "/X/Y/signin-oidc";
    options.CorrelationCookie.Path = "/X/Y/signin-oidc";
});

Update: In the end, I did not set the NonceCookie or CorrelationCookie Path anymore. There are other corner cases not covered by this workaround. Instead, I simply set the pathbase value.

string pathBase = "/x/y";
app.UsePathBase(pathBase);
app.Use(async (context, next) =>
{
    context.Request.PathBase = pathBase;
    await next();
});

score 0 · Answer 13 · answered May 31 '20 at 10:31

0

This issue is mostly happening when you are running identity server on http and browser is chrome , try running the application on IE Edge or use https always should fix the issue

answered May 31 '20 at 10:31

user3660188

19
3

score 0 · Answer 14 · answered Mar 05 '21 at 02:51

I had the exact same problem

Exception: Correlation failed.

while trying to authenticate my dotNet Core 3 app to AzureAD.

Changing my launch profile to "Project" and adding a https App URL ("https://localhost:5001;http://localhost:5000") actually did the trick for me!

score 0 · Answer 15 · answered Dec 14 '21 at 03:14

In my case I had to provide a random sslPort in the launchSettings.json file, before it was 0.

"iisSettings": {
"windowsAuthentication": false,
"anonymousAuthentication": true,
"iisExpress": {
  "applicationUrl": "http://localhost:17950",
  "sslPort": 44312
}

score 0 · Answer 16 · answered Jan 19 '22 at 01:06

0

I suddenly got this in every browser today while debugging in Visual Studio and fixed it by switching to IIS Express from Kestrel.

answered Jan 19 '22 at 01:06

Michael Nario

1
1

1

As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Jan 19 '22 at 08:56
When hosting using Kestrel, are you under some reverse proxy (e.g. hosting it under "https://A:8000/B/C")? Maybe the context.Request.PathBase is not correct. Hosting under IIS automatically sets the Request.PathBase. But if running under Kestrel, it may not be automatically set. – remondo Jul 14 '22 at 02:31

tappetyclick · Answer 17 · 2022-06-28T12:48:03.060

I hit this and the issue turned out to be case sensitive cookie paths. I was lowercasing the redirect_uri (because these are case sensitive). And I think the middleware sets the cookie path based on "basePath".

My startup ended up looking like this:

services.AddAuthentication().AddMicrosoftAccount(microsoftOptions =>
    {
            microsoftOptions.ClientId = configuration["Authentication:Microsoft:ClientId"];
            microsoftOptions.ClientSecret = configuration["Authentication:Microsoft:ClientSecret"];
            // The path is case sensitive so just override
            microsoftOptions.CorrelationCookie.Path = "/"; 
            microsoftOptions.Events.OnRedirectToAuthorizationEndpoint = context =>
            {
                var redirectUriParam = "redirect_uri";

                var uri = new UriBuilder(context.RedirectUri);
                var qs = HttpUtility.ParseQueryString(uri.Query);

                string returnUrl = qs.Get(redirectUriParam);
                if (!string.IsNullOrEmpty(returnUrl))
                {
                    // The return urls are case sensitive so force this to lower case
                    qs.Set(redirectUriParam, returnUrl.ToLower());
                }

                uri.Query = qs.ToString();
                string redirectUrl = uri.Uri.ToString();
                context.Response.Redirect(redirectUrl);
                return Task.CompletedTask;
            };
        });

See also: https://github.com/IdentityServer/IdentityServer3/issues/1876

score 0 · Answer 18 · answered Mar 24 '23 at 13:49

IF you are using Azure AD B2C, and see this error message:

Error.
An error occurred while processing your request.
Request ID: 00-0480476dfa246c5453a194d2c2964922-ee229bd333b36f8b-00

Details Correlation failed.

It means that you have not added the CallBack URL to the configuration.

To fix, log onto Azure, and switch to the Directory which has the Azure B2C.

Go to "App Registrations" and then select your App.

Then select "Authentication" on the left under "Manage".

It will then show you a list of "Redirect URIs".

Add the URL you were trying to use to this list.

After adding to the list wait an hour before testing as it takes Azure time to propagate this setting. If you test too soon, it will show the same error message.

Kappacake · Answer 19 · 2023-08-16T13:34:18.550

0

I am using .net 7 MVC, with AWS Cognito setup as an OpenId provider.

I got this error when deploying the website on AWS App Runner. Worked fine locally.

The trick was adding the following code to Program.cs:

app.UseCookiePolicy(new CookiePolicyOptions
{
    Secure = CookieSecurePolicy.Always
});

edited Aug 16 '23 at 13:34

answered Aug 16 '23 at 13:19

Kappacake

1,826
19
38

score 0 · Answer 20 · answered Aug 21 '23 at 10:07

0

I had this issue in one of the projects and the below code fixed the issue for .net Core

app.UseForwardedHeaders(new ForwardedHeadersOptions
{
    ForwardedHeaders = ForwardedHeaders.XForwardedProto
});

answered Aug 21 '23 at 10:07

Kiran B

683
10
21

score -1 · Answer 21 · answered Aug 19 '22 at 08:41

Having app on .NET 6. The app is on HTTP, because the HTTPS is provided by a load-balancer. I have problems with OAuth for Seznam Oauth provider (OAuth provider/e-mail service in the Czech Republic).

For me, the code that solve the problem was:

options.CorrelationCookie.SameSite = SameSiteMode.Lax;

In Startup.cs ConfigureServices method:

services.AddOAuth<CustomOAuthAuthenticationOptions, CustomOAuthClientAuthentication>("MyAuthScheme", "MyAuthScheme", options =>
{
    options.CorrelationCookie.SameSite = SameSiteMode.Lax;
});

Setting the CorrelationCookie help to solve the problem. Maybe it will work for other providers.

The reason I can't use the UseCookiePolicy extension method is that we support different authentication methods in our app, that requires different cookie options.

Correlation failed in net.core / asp.net identity / openid connect

21 Answers21

Linked