.netsingle-sign-onowinoktasamesite

OpenIdConnectProtocolValidationContext.Nonce was null when using Okta in Asp.Net Web Application


I have a .Net Asp.Net WebApplication, I am trying to use Okta for Single Sign On capabilities. I have all my code working and running except when I use Google Chrome 80+ to sign in. When I sign on to Okta and am called back to my application I get the following error. Below are the steps that I have tried so far. This works in all other browsers but is failing most likely due to Chrome 80s SameSite cookie attribute changes.

Server Error in '/' Application.

IDX21323: RequireNonce is '[PII is hidden]'. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'. Note if a 'nonce' is found it will be evaluated. Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details:

Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolInvalidNonceException: IDX21323: RequireNonce is '[PII is hidden]'. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'. Note if a 'nonce' is found it will be evaluated.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[OpenIdConnectProtocolInvalidNonceException: IDX21323: RequireNonce is '[PII is hidden]'. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'. Note if a 'nonce' is found it will be evaluated.]
Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolValidator.ValidateNonce(OpenIdConnectProtocolValidationContext validationContext) +1374
Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolValidator.ValidateAuthenticationResponse(OpenIdConnectProtocolValidationContext validationContext) +219
Microsoft.Owin.Security.OpenIdConnect.d__11.MoveNext() +3770 System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +27

  1. Upgraded .Net version to 4.7.2
  2. Upgraded Nuget packages for Microsoft.Owin to 4.1
  3. Added SameSite configs in startup
  4. Added web.config values
  5. Added CookieManager code

Startup.cs Configure() code

app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);


app.UseCookieAuthentication(new CookieAuthenticationOptions()
{
    CookieSameSite = SameSiteMode.None,
    CookieSecure = CookieSecureOption.Always,
    CookieHttpOnly = true,
    CookieManager = new Code.SameSiteCookieManager(new Microsoft.Owin.Host.SystemWeb.SystemWebCookieManager())
});

app.UseOktaMvc(new OktaMvcOptions()
{
    OktaDomain = ConfigurationManager.AppSettings["okta:OktaDomain"],
    ClientId = ConfigurationManager.AppSettings["okta:ClientId"],
    ClientSecret = ConfigurationManager.AppSettings["okta:ClientSecret"],
    RedirectUri = ConfigurationManager.AppSettings["okta:RedirectUri"],
    PostLogoutRedirectUri = ConfigurationManager.AppSettings["okta:PostLogoutRedirectUri"],
    AuthorizationServerId = string.Empty,
    Scope = new List<string> { "openid", "profile", "email" },
});

Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolValidator dd = new Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolValidator();
dd.RequireNonce = false;


//Init ADM Kit and start logging.
Code.KitHelper.Init();

Solution

  • Check if you are experiencing this issue only in Chrome. If so this would be because of the new security implementation launched in version 80.

    If enabled, cookies without SameSite restrictions must also be Secure. If a cookie without SameSite restrictions is set without the Secure attribute, it will be rejected. This flag only has an effect if "SameSite by default cookies" is also enabled. – Mac, Windows, Linux, Chrome OS, Android

    You can however disable this in chrome://flags but it is now enabled by default

    #cookies-without-same-site-must-be-secure

    You'll have to restart chrome once you've set this to disabled.This resolved my issues and explains why in production every thing was working as expected but locally I was getting nonce errors.