-
Notifications
You must be signed in to change notification settings - Fork 197
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cookie Errors During Login #3
Comments
not that anybody is reading this, but after more research, I don't think it is related to the issue I referenced. |
I'd like to add to this thread, since I also think there is a problem with the Result:
Observations:
It seems state is lost somewhere for |
Wow! Thanks for posting that! I modified my app to work in the style of 02-Login-Embedded-Lock and it seems to work for me too (although it is too early for me to declare complete victory just yet). It would be nicer if 01-Login worked, but I'll take a working 02-Login-Embedded-Lock over what 01-Login is currently doing. |
Looks like I spoke too soon, I still get some cookie errors using Embedded Lock, not sure if they are less frequent or happen under different circumstances. |
hmmm..Sorry to keep blasting this issue. I realized I had my signout url misconfigured for my application in auth0. Once I fixed that, things seemed to improve. |
Sorry for not responding. This issue slipped past me :( The problem appears to be that everytime the OIDC flow initiates, a nonce and correlation cookie gets stored. Problem is that when the OIDC flow does not complete successfully (because the browser's back button was clicked), then those cookies are not cleared. So now if you do it a few times those cookies build up over time, and eventually things fail because the request becomes to big. The issue you listed (aspnet/Announcements#201) is different. It relates to the external authentication cookie which is used by ASP.NET Identity. Our samples does not use ASP.NET Identity, or and external authentication cookie. The nett effect is however the same, as these cookies are not cleared and build up over time. I will look into this. Let me know if I am not understanding the issue correctly |
Hi @jerriep, I've set up a reproducible environment at https://greenlifftest.azurewebsites.net/ which deterministically fails for me using Chrome (version 53.0.2785.116 m) and Firefox (version 48.0.2 and 49.0) on Windows, but works perfectly with IE and Edge. The deployment is an instance from the
For you to test, the auth0 client set up is:
|
Also, @jerriep, I have had Auth0 support ticket #12340 open for a while now. Your support engineers have been able to reproduce this as well. I was able to reproduce it with 01-Login against Azure Active Directory, but I think your support team reproduced it with Google as a provider. Thanks for looking into this! |
Another update: I've been told by support that they have a new branch of server side code that might help mitigate this issue, so if @jerriep is running on that new branch, that might be why he can't reproduce it. I'm also told that as early as some time today, customers will be able to switch themselves to the new branch in the advanced dashboard (note I just checked and I don't see the feature deployed yet, but having the self service advanced dashboard switch deployed today wasn't a guarantee, just a best case scenario) |
Damn, I got it failing once but could not get it to fail again to try and Please switch to the new branch when available, and let me know how that On Fri, Sep 23, 2016 at 5:20 AM, Nicholas P Nelson <notifications@github.com
|
I just switched the OAuth2 as a Service (preview) option on in the advanced settings (note to switch it on, you have to enable the Change Password v2 flow if that option is available before you can enable OAuth2 as a Service). So far, so good, but it has only been an hour. I will know more once is has been in use a little longer |
The problem is related to browser cookie size limits. tl;dr The auth0 backend at some point returns an Details:
Mitigation attempts:
Thanks in advance. |
@jerriep I see your login attempts on |
@ahouben First, thanks for the awesome post. Second, I just wanted to report that so far, so good on enabling the "OAuth2 as a Service (preview)" option in the advanced account settings on auth0. I can't speak for exactly what OAuth2 as a Service does, but I am pretty sure they took steps to reduce the size of the auth0 cookie (the preview may include other things too, I'm not sure). My users have been using this for several hours now without a single cookie error or any other login problem. I'm not willing to declare victory just yet until I see it go for a few days, but the early results are very promising. |
@npnelson I just enabled "OAuth2 as a Service" and tried again. Unfortunately, the behavior is exactly the same as the aforementioned workflow using Google as the identity provider. I can confirm that when using the Username-Password-Authentication login method the So the |
The Twitter provider works fine, but is close to the limits ( So, Google and Azure Active Directory (reported by @npnelson) seem to exceed the cookie limitations, maybe only in certain circumstances. Cookie splitting and reassembly would solve it for all providers. |
Just to prevent a possible painful lesson for anyone who comes across this thread in the future - most mobile browsers can only store around 8K of cookies per site. It might not relevant for this case, because 8K is probably enough, but still something to keep an eye on, especially if you pull down "openid profile" for some providers that have lots of claims. |
@ahouben Did you check if the OAuth as a Service (Preview) toggle stayed on? There is a subtle bug that causes the value not to change if you don't have the Password Flow v2 enabled. |
@nicosabena Once I enabled OAuth as a Service (Preview) it didn't go back. The Password Flow v2 was already enabled (probably when I created the auth0 account, I cannot remember changing or touching it): |
@ahouben @npnelson This issue seems not related to the ASP.NET Core integration or middleware, but rather between Auth0's server and the Identity Provider (Google in this case). I am going to ask that you please move this over to the support ticket already open, as it can be best managed by the product team on that side. @nicosabena Can you please help and ensure that their ticket(s) get attention in Zendesk? I think you are already on top of it, but just making sure :) If this issue is related to ASP.NET Core, then please feel free to re-open this issue. |
@ahouben Sorry, looking at your screenshots again, it seems the issue may be on the ASP.NET side for you. You ASP.NET Cookies seem quite large. Any idea why? Are you saving a lot of claims? as for
It was refered to as "Nonce overflow" and is discussed here: |
@ahouben Tested again. Sorry for the back-and-forth. The issue is on the Auth0 side, and not an ASP.NET problem. Do you have a ticket in Zendesk open by any chance? If not could you head over to https://support.auth0.com/ and open a ticket with the steps and screenshots you outlined above (#3 (comment)) ? Let me know what the ticket ID is and I can ask the product team to look into this. Thanks! |
@jerriep Thanks for following up. I've created ticket https://support.auth0.com/tickets/15036 in your support database and referenced this github issue and the ticket from @npnelson #12340 further up this thread (which I cannot view: Forbidden). |
@ahouben Whatever happened to this? Was your problem eventually resolved? |
I am closing this issue. If this is still a problem please re-open |
We mostly used the Database-Connection user store from auth0.com and therefore didn't run into this issue lately. I never verified whether the issue was resolved in the meantime. |
I think your 01-Login sample is affected by this issue:
aspnet/Announcements#201
More information can be found here:
aspnet/Identity#915
I have been able to reproduce the issue using your 01-Login sample code. The ASP.NET team fixed their issue with a template fix, but the 01-Login sample is different enough that I can't figure out how to fix it.
The text was updated successfully, but these errors were encountered: