Skip to content
This repository has been archived by the owner on Jun 12, 2024. It is now read-only.

Same site cookie fix #35

Merged
merged 2 commits into from
Jan 22, 2020
Merged

Same site cookie fix #35

merged 2 commits into from
Jan 22, 2020

Conversation

TiagoBrenck
Copy link

Update to DotNet Framework 4.7.2
Implemented SameSiteCookieManager as suggested ms docs

Tested using Chromium 60 before and after implementation to validate the fix.

jmprieur
jmprieur approved these changes Jan 21, 2020
View reviewed changes
Copy link
Contributor

@jmprieur jmprieur left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, @TiagoBrenck
I did not test it yet (but was worried about the major change)

WebApp/MailApp.csproj
@@ -65,20 +65,20 @@
<Reference Include="Microsoft.IdentityModel.Tokens, Version=5.4.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
<HintPath>..\packages\Microsoft.IdentityModel.Tokens.5.4.0\lib\net461\Microsoft.IdentityModel.Tokens.dll</HintPath>
</Reference>
<Reference Include="Microsoft.Owin, Version=4.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
<HintPath>..\packages\Microsoft.Owin.4.0.1\lib\net45\Microsoft.Owin.dll</HintPath>
<Reference Include="Microsoft.Owin, Version=4.1.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you test with the major Owin change?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I tested. We actually need to update to 4.1.0 according to the docs, to handle the issue on net framework 4.7.2

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh yes. Thanks for the update. This makes sense. I had forgotten

@jmprieur jmprieur self-requested a review January 21, 2020 18:59
@TiagoBrenck TiagoBrenck merged commit 5836774 into master Jan 22, 2020
@remojan23
Copy link

Tried to replicate the same steps as mentioned in the commit.

i still get

IDX21323 OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocolValidatedIdToken.Paylocad.Nonce was not null

steps done:

1.upgraded .net framework to 4.72
2.upgraded owin to 4.1
3.Added sameCookieManager as mentioned in commit

@jmprieur
Copy link
Contributor

jmprieur commented Feb 5, 2020

@TiagoBrenck FYI

@TiagoBrenck
Copy link
Author

@remojan23 could you share your packages.config? Also, what browser are you using?
I have re-tested it and it worked.

@remojan23
Copy link

remojan23 commented Feb 5, 2020
edited
Loading

@TiagoBrenck
Tested in google chrome 80 beta( using the --enable-features=SameSiteDefaultChecksMethodRigorously) . below is my package.config

<?xml version="1.0" encoding="utf-8"?> <packages> <package id="Antlr" version="3.5.0.2" targetFramework="net45" /> <package id="DocumentFormat.OpenXml" version="2.5" targetFramework="net45" /> <package id="EntityFramework" version="6.1.0" targetFramework="net45" /> <package id="ExcelDataReader" version="3.3.0" targetFramework="net46" /> <package id="ExcelDataReader.DataSet" version="3.3.0" targetFramework="net46" /> <package id="jQuery" version="2.0.3" targetFramework="net45" /> <package id="jQuery.UI.Combined" version="1.8.20.1" targetFramework="net45" /> <package id="jQuery.Validation" version="1.9.0.1" targetFramework="net45" /> <package id="Knockout.Validation" version="1.0.1" targetFramework="net45" /> <package id="knockoutjs" version="2.1.0" targetFramework="net45" /> <package id="Microsoft.AspNet.Mvc" version="5.2.3" targetFramework="net46" /> <package id="Microsoft.AspNet.Providers.Core" version="1.1" targetFramework="net45" /> <package id="Microsoft.AspNet.Providers.LocalDB" version="1.1" targetFramework="net45" /> <package id="Microsoft.AspNet.Razor" version="3.2.3" targetFramework="net46" /> <package id="Microsoft.AspNet.Web.Optimization" version="1.1.3" targetFramework="net45" /> <package id="Microsoft.AspNet.WebApi" version="5.2.3" targetFramework="net46" /> <package id="Microsoft.AspNet.WebApi.Client" version="5.2.3" targetFramework="net46" /> <package id="Microsoft.AspNet.WebApi.Core" version="5.2.3" targetFramework="net46" /> <package id="Microsoft.AspNet.WebApi.WebHost" version="5.2.3" targetFramework="net46" /> <package id="Microsoft.AspNet.WebPages" version="3.2.3" targetFramework="net46" /> <package id="Microsoft.IdentityModel.Clients.ActiveDirectory" version="3.19.8" targetFramework="net46" /> <package id="Microsoft.IdentityModel.JsonWebTokens" version="5.3.0" targetFramework="net472" /> <package id="Microsoft.IdentityModel.Logging" version="5.3.0" targetFramework="net472" /> <package id="Microsoft.IdentityModel.Protocol.Extensions" version="1.0.0" targetFramework="net46" /> <package id="Microsoft.IdentityModel.Protocols" version="5.3.0" targetFramework="net472" /> <package id="Microsoft.IdentityModel.Protocols.OpenIdConnect" version="5.3.0" targetFramework="net472" /> <package id="Microsoft.IdentityModel.Protocols.WsFederation" version="5.3.0" targetFramework="net472" /> <package id="Microsoft.IdentityModel.Tokens" version="5.3.0" targetFramework="net472" /> <package id="Microsoft.IdentityModel.Tokens.Saml" version="5.3.0" targetFramework="net472" /> <package id="Microsoft.IdentityModel.Xml" version="5.3.0" targetFramework="net472" /> <package id="Microsoft.jQuery.Unobtrusive.Ajax" version="2.0.30506.0" targetFramework="net45" /> <package id="Microsoft.jQuery.Unobtrusive.Validation" version="2.0.20710.0" targetFramework="net45" /> <package id="Microsoft.Net.Http" version="2.0.20710.0" targetFramework="net45" /> <package id="Microsoft.Owin" version="4.1.0" targetFramework="net472" /> <package id="Microsoft.Owin.Host.SystemWeb" version="4.1.0" targetFramework="net472" /> <package id="Microsoft.Owin.Security" version="4.1.0" targetFramework="net472" /> <package id="Microsoft.Owin.Security.ActiveDirectory" version="4.1.0" targetFramework="net472" /> <package id="Microsoft.Owin.Security.Cookies" version="4.1.0" targetFramework="net472" /> <package id="Microsoft.Owin.Security.Jwt" version="4.1.0" targetFramework="net472" /> <package id="Microsoft.Owin.Security.OAuth" version="4.1.0" targetFramework="net472" /> <package id="Microsoft.Owin.Security.OpenIdConnect" version="4.1.0" targetFramework="net472" /> <package id="Microsoft.Web.Infrastructure" version="1.0.0.0" targetFramework="net45" /> <package id="Modernizr" version="2.5.3" targetFramework="net45" /> <package id="Newtonsoft.Json" version="10.0.3" targetFramework="net46" /> <package id="NodeEnv" version="1.0.2" targetFramework="net45" /> <package id="Owin" version="1.0" targetFramework="net46" /> <package id="StyleCop.MSBuild" version="4.7.48.0" targetFramework="net45" /> <package id="System.IdentityModel.Tokens.Jwt" version="5.3.0" targetFramework="net472" /> <package id="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry" version="4.5.1" targetFramework="net45" /> <package id="Thinktecture.IdentityModel.EmbeddedSts" version="1.0.2" targetFramework="net46" /> <package id="Unity" version="3.5.1404.0" targetFramework="net45" /> <package id="Unity.AspNet.WebApi" version="3.0.1304.0" targetFramework="net45" /> <package id="Unity.Interception" version="3.5.1404.0" targetFramework="net45" /> <package id="Unity.Mvc" version="3.0.1304.0" targetFramework="net45" /> <package id="Unity.WebAPI" version="0.10" targetFramework="net45" /> <package id="WebActivatorEx" version="2.0.3" targetFramework="net45" /> <package id="WebGrease" version="1.5.2" targetFramework="net45" /> </packages>

@TiagoBrenck
Copy link
Author

@remojan23 I am still not able to reproduce it here.

I noticed that many of your packages is targeting net45 or 46. I wonder if that could be the problem. When I updated the framework in this sample, I have also run the follow command, to re-target all the packages to the right framework:

Update-Package -Reinstall

@remojan23
Copy link

When the user first navigates to the app, the app detects that they are not authenticated and redirects them to Azure AD.  During this step, OWIN sets a cookie named OpenIdConnect.nonce. This cookie is somehow not seen in the list in beta 80 due to which that
error is thrown .

@TiagoBrenck
Copy link
Author

@remojan23 were you able to reproduce this error using the sample as well?

@TiagoBrenck
Copy link
Author

@remojan23 did it work?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@jmprieur jmprieur jmprieur approved these changes

@kalyankrishna1 kalyankrishna1 Awaiting requested review from kalyankrishna1

@bgavrilMS bgavrilMS Awaiting requested review from bgavrilMS

@pmaytak pmaytak Awaiting requested review from pmaytak

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@TiagoBrenck @remojan23 @jmprieur