No Cookies After Successful SignIn

[theonesuperdave]

I have seen several issues which mirror some of the symptoms I see, but either the remedies do not work, or the environment does not match mine. So putting something here hopeful that someone can steer me into the proper fix.

I'm building an auth server using Asp.net Core Identity and Identity Server 4 (v3.1.0). My use case fails in the browser after successfully logging in for both Azure AD and ASP.net Identity "types." Everything worked a month ago, but now this issue is present. Integration tests validate proper JWT tokens work just fine.

Azure AD

It looks like my core issue is the auth cookie is getting "dropped" somewhere in the handshaking. For Azure AD, I see the issue as Exception: Correlation failed. which relates back to this debugging message:

Warning] Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler
'.AspNetCore.Correlation.AzureADOpenID.9n9G6ABl1Qfb8ZORCTNrnkj8--h4pKRRhxPc4k_SJWk' cookie not found.

Using Fiddler, I can confirm the cookie is not set as requested in the response to the External/Challenge?provider=AzureAD endpoint. Rather, when posting to the signin-oidc endpoint, the id_token is sent, but no cookies.

External/Challenge Response

Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler
AuthenticationScheme: AzureADOpenID was challenged.

Asp.Net Identity

For this login, everything succeeds, and appears fine when I am redirected to my MVC page.

Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler
AuthenticationScheme: Identity.Application signed in.

However, the HttpContext.User.Identity is always "empty," assuming because the cookie is not present which contains that information. As a result, IsAuthenticated is always false.

Startup

I do not explicitly configure cookies anywhere in Startup, but it was all working with cookies before for these use cases. My setup is pretty standard.

ConfigureServices

                services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
                .AddAzureAD(options =>
                {
                    options.ClientId = azureAdOptions.ClientId;
                    options.ClientSecret = azureAdOptions.TenantId;
                    options.Domain = this.AuthServerUrl;
                    options.Instance = $"{azureAdOptions.AadInstance}{azureAdOptions.TenantId}";
                    options.CallbackPath = openIdConnectOptions.CallbackPath;
                });

Configure

            app.UseIdentityServer();
            app.UseAuthentication();
            app.UseAuthorization();

Runtime

Asp.Net Core 3.1.3
Asp.Net Core Identity 3.1.3
Identity Server 4 (v3.1.0)
Kestrel
AzureAD

I have tried numerous things from "AllowAll" for CORS to using AzureADDefaults.CookieScheme but it's the same symptoms each time. Going through the git history, nothing stands out that would lead to this issue. Looking for some guidance on what to try next.

What am I missing? What can I try next?

[Tratcher]

SameSite=none without secure is the usual culprit. Can you share the full fiddler trace?
Are you using https?
Are you using a proxy?

[theonesuperdave]

OK, let me look into those details. Thanks for the info! Will share the fiddler trace shortly. This is all local dev, so only http at the moment. No proxy, and no load balancers, etc. The corp firewall might be stripping headers from AAD, but I doubt it since I see some coming through.

[Tratcher]

Https is required for SameSite=None cookies in chrome.

[theonesuperdave]

SameSite disabled for the win!! Would not have guessed that one for this. Thank you! I will look into upgrading my localhost to HTTPS. Surely Asp.Net Core supports that without too much work at this point.

[theonesuperdave]

no-cookies.zip

Attached is the Fiddler trace while I check out the samesite settings.