We have some users who cannot connect to our platform via Google. When this happens, it's always for a specific device, but with the information we have so far, it's not all the same device kind (to be confirmed).
We're using ASP.NET Core (and Identity Server 4).
The error on our side is that upon returning from the oauth flow, the correlation cookie set by ASP.NET identity is gone. We have verified that it's well set at the beginning, and is valid. It's not an issue about data protection (we do have this in place). We can reproduce on two iPads with iOS 12, no matter which account we try to connect with. All those accounts can connect on other devices, including iPads with iOS 13.
So we're trying to isolate what could make those specific devices fail. Also, it seems this only started to happen recently, and we can't identify what change could have triggered this on our side.
Updating an iPad from iOS 12 to iOS 13 solves the issue.
On 2019/11/19, .NET Core v2.2.8 was released. This version includes this change, which mentions in the patch notes:
Risk: Medium. The SameSite changes are known to be incompatible with older OSs and browsers, especially iOS 12 and OSX Mojave (latest - 1). These represent a small but influential portion of the web client user base. Updating to the latest OS version addresses the incompatibility.
Since our Docker images are based on mcr.microsoft.com/dotnet/core/aspnet:2.2
, an irrelevant update which happened on Dec. 3rd pushed that update to our servers.
This blog post explains the situation in more details, but in short:
set-cookie
does not specify a SameSite
value, instead of defaulting to None
SameSite=None
, ASP.NET Core was not sending the SameSite
value to set-cookie
, assuming that browsers default to None
SameSite=None
SameSite=None
as SameSite=Strict
(see this webkit bug for details)Though we could revert to 2.2.7, the upcoming Chrome update (80) would stop working. Fortunately, this article clearly states the proper course of action: we need to implement user agent sniffing and not send the SameSite=None
to user agents which do not support it. This comment mentions suggested user agents to filter, which looks good.