0

I'm using Identity Server 4 with Umbraco. When I login locally (localhost) from Edge, Firefox or Opera the login works correctly. If I try it from Chrome the login fails.

From the Identity Server 4 logs the only differences appear to be the CORS request line appears in Chrome and not for the other browsers

[DBG] umbraco found in database: true
[VRB] Calling into client configuration validator: IdentityServer4.Validation.DefaultClientConfigurationValidator
[DBG] client configuration validation for client umbraco succeeded.
---> [DBG] CORS request made for path: /Account/Login from origin: null but was ignored because path was not for an allowed IdentityServer CORS endpoint
[VRB] No endpoint entry found for request path: /Account/Login
[VRB] returnUrl is valid
[DBG] Start authorize request protocol validation
[DBG] umbraco found in database: true

and for Edge, Firefox & Opera I get

[DBG] User in authorize request: 1932942018

and in Chrome I get

[DBG] No user present in authorize request

Can anyone tell me where to start looking? Is this a Chrome issue? Something related to using localhost? A configuration issue for IS4 that's only showing up in Chrome?

Using Identity Server 4 v4.0.4 on Windows 10 Pro

sixeyes
  • 483
  • 3
  • 14
  • 1
    Use Fiddler and compare the initial request to IdentityServer to figure out what the difference in the request is. – Tore Nestenius Aug 21 '20 at 06:49
  • Thanks for the suggestion. Checking Fiddler I can see that Chrome isn't sending any cookies. Googling I can see this is a Chrome issue with localhost. Haven't figured out how to change Chrome, so I'll just stick with other browsers – sixeyes Aug 21 '20 at 11:12

2 Answers2

1

See this article on how to deal with Chrome and SameSite cookies

I would also try to disable the SameSite handling just to verify if it is the problem or not. See this article for details on how to disable it.

Tore Nestenius
  • 16,431
  • 5
  • 30
  • 40
  • I'm not sure how the article helps. My problem is related to Chrome's behaviour when using localhost – sixeyes Aug 26 '20 at 10:02
  • 1
    Do you get any error in the Browser developer console? Are we talking about a cookie or CORS issue? Why do you try to do a CORS request to /Account/Login? or exactly what request is failing? – Tore Nestenius Aug 26 '20 at 10:41
  • The problem I'm having only happens with localhost, the published websites work as expected. In fact even using localhost I didn't have a problem until I tried to use Chrome. Usually I'm working with Edge / Firefox so I'd not seen the Chrome issue. Once I saw the problem I didn't even know where to start, hence the question here. After your suggestion to use fiddler (never used it before) I discovered that the difference was that Chrome wasn't sending the cookies with the request. Googling revealed that this is a known problem, so while working locally I can't use Chrome :( – sixeyes Aug 26 '20 at 13:33
  • As to what I'm doing, I'm using Umbraco (a CMS) with IdentityServer4 as the IdP. For some reason Chrome doesn't pass over the cookies required whereas the other browsers do. If I could get Chrome to pass over the cookies I'd be happy but as I can't I'll just have to avoid Chrome while developing the website. – sixeyes Aug 26 '20 at 13:35
  • I disabled the three flags and now it works. Thanks for you help. – sixeyes Aug 26 '20 at 17:10
  • fun fact is that different browser have bugs in how they handle samesite and because of that you need to return different samesite settings depending on the browser an browser version. – Tore Nestenius Aug 26 '20 at 17:22
0

In case anyone else experiences the same problem after Edge is upgraded from Edge Legacy there's a fix here:

https://getadmx.com/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::LegacySameSiteCookieBehaviorEnabled

A new registry key is required:

Computer\HKEY_CURRENT_USER\Software\Policies\Microsoft\Edge\LegacySameSiteCookieBehaviorEnabled

DWORD with the value set to 1

sixeyes
  • 483
  • 3
  • 14