Client and server on different domains - No correlation cookie with the specified state can be found
See original GitHub issueConfirm you’ve already contributed to this project or that you sponsor it
- I confirm I’m a sponsor or a contributor
Version
4.x (in preview)
Question
Hi,
I modified the Velusia sample (latest dev branch) so that:
- the client runs on http://b.local2:44338
- the server runs on http://a.local1:44313
(b.local2 and a.local1 point to 127.0.0.1 in etc/hosts)
I also disabled TransportSecurityRequirement so it runs on http for testing and I will need http also in the staging environment.
Everything works fine until callback/login is called on the client and it fails with:
error:invalid_request
error_description:No correlation cookie associated with the specified state can be found. Please try logging in again. If the error persists, please contact the website owner.
error_uri:https://documentation.openiddict.com/errors/ID2129
I also noticed, that it works fine, if the client runs on http://localhost:44338 but fails if it is on a different domain (http://b.local2:44338 ).
I did also try to add
services.ConfigureApplicationCookie(options =>
{
options.Cookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.None;
});
On client and the server. Am I missing something? Kind regards, Miha
Issue Analytics
- State:
- Created 10 months ago
- Comments:5 (3 by maintainers)
Top Results From Across the Web
Correlation failed at signin-oidc redirect · Issue #720
I deployed the client to another machine running Windows 2012 RC2 with IIS 8.5, and remapped the domain / IP to the new...
Read more >What could cause a correlation cookie to not be returned ...
Therefore, our correlation cookie is treated as strict on those OSes, which means that they are not sent back as intended.
Read more >ASP.NET Core 2: Intermittent Correlation Failed Errors
Mobile is not our target right now, but I would say Safari seems to be ... Check that the CorrelationId found in the...
Read more >Cookies in multi-domain environments — how to avoid ...
Namespaces can help to support multiple applications on the same domain or a shared state across different application of different subdomains.
Read more >Using HTTP cookies - MDN Web Docs - Mozilla
The Domain attribute specifies which hosts can receive a cookie. If the server does not specify a Domain , the browser defaults the...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Hi, thank you Kevin . I did a quick experiment with a wildcard certificate on 127.0.0.1 and it seems to work. I was planning an https experiment as a last resort, but because of the legacy staging environment constraints hoped for a http solution 😃. Thank you for your help, I will take your advice and use https in all environments.
Note: I opened https://github.com/openiddict/openiddict-core/pull/1603 to update the OpenIddict client to require TLS by default so that users are warned earlier that not using TLS might cause issues.