Correlation Failed. At Microsoft.Aspnetcore.Authentication.Remoteauthenticationhandler During Oidc Authentication

Correlation failed in net.core / asp.net identity / openid connect

I've finally found the solution, I´ll post here just in case somebody have a similar problem.

Looks like the principal problem was that my redirect URI was the same that the CallBackPath:

"CallbackPath": "/Account/SigninOidc"

var authProperties = _signInManager
.ConfigureExternalAuthenticationProperties("AzureAD",
Url.Action("SigninOidc", "Account", null, Request.Scheme));

Well, here is my corrected Startup.cs:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
using BPT.PC.IdentityServer.Data;
using BPT.PC.IdentityServer.IdentityStore;
using BPT.PC.IdentityServer.Models;
using BPT.PC.IdentityServer.Web.Models;
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Authentication.OpenIdConnect;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Identity;
using Microsoft.EntityFrameworkCore;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.IdentityModel.Protocols.OpenIdConnect;

namespace BPT.PC.IdentityServer.Web
{
    public class Startup
    {
        public Startup(IConfiguration configuration)
        {
            Configuration = configuration;
        }

        public IConfiguration Configuration { get; }

        // This method gets called by the runtime. Use this method to add services to the container.
        public void ConfigureServices(IServiceCollection services)
        {
            services.AddIdentity<User, Role>()
                .AddUserStore<UserStore>()
                .AddRoleStore<RoleStore>()
                .AddDefaultTokenProviders();

            services.AddMemoryCache();
            services.AddDistributedMemoryCache();
            services.AddDbContext<IdentityServerDb>
                (options => options.UseSqlServer(Configuration.GetConnectionString("IdentityServerDb")));

            services
                .AddMvc();
            services
                .AddAuthentication(auth =>
                {
                    auth.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                    auth.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                    auth.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                })
                .AddCookie()
                .AddOpenIdConnect("AzureAD", "AzureAD", options =>
                {
                    Configuration.GetSection("AzureAD").Bind(options); ;
                    options.ResponseType = OpenIdConnectResponseType.CodeIdToken;
                    options.RemoteAuthenticationTimeout = TimeSpan.FromSeconds(120);
                    options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                    options.RequireHttpsMetadata = false;
                    options.SaveTokens = true;
                });

            services.AddSingleton(Configuration.GetSection("OpenIdConnectProviderConfiguration").Get<OpenIdConnectProviderConfiguration>());

        }
        // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
        public void Configure(IApplicationBuilder app, IHostingEnvironment env)
        {
            if (env.IsDevelopment())
            {
                app.UseBrowserLink();
                app.UseDeveloperExceptionPage();
            }
            else
            {
                app.UseExceptionHandler("/Home/Error");
            }

            app.UseStaticFiles();
            app.UseAuthentication();

            app.UseMvc(routes =>
            {
                routes.MapRoute(
                    name: "default",
                    template: "{controller=Account}/{action=Login}/{id?}");
            });
        }
    }
}

And the finally implementation:

[HttpGet]
public IActionResult CorpLogin()
    {
        var authProperties = _signInManager
            .ConfigureExternalAuthenticationProperties("AzureAD",
            Url.Action("LoggingIn", "Account", null, Request.Scheme));

        return Challenge(authProperties, "AzureAD");
    }

The appsettings.json is the same.

identityserver4 Correlation failed

As per the above comment, this is likely due to you not using HTTPS. That correlation cookie will be set to SameSite=None or SameSite=Lax since it needs to be accessible during a request initiated by another host and Chrome and Edge will block it by default if not issued by an HTTPS origin.

Exception: Correlation failed. AAD + Azure Front Door

Please check the possible workarounds for few causes:

1. Firstly please check the reply urls are configured correctly which must be same in azure portal and code (with https protocol )

2. Check if the callback path is set to identity provider something like /signin-oidc for redirect url .(And make sure you have unique callback if multiple urls are used as in second reference)

3. use Microsoft.AspNetCore.HttpOverrides; reference in startup.cs class.

Also check and Add > app.UseHttpsRedirection(); above app.authentication(); in startup configure method.

4. If ConfigureServices method, from Startup.cs has

.services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd"));

The cause maybe cookies not being set as secure. Try to store cookies as secure before the services.AddAuthentication .

services.Configure<CookiePolicyOptions>(options =>
    {
        options.CheckConsentNeeded = context => true;//add if consent needed
        options.MinimumSameSitePolicy = SameSiteMode.None; // else try  SameSiteMode.Lax;

         options.Secure = CookieSecurePolicy.Always;

    });

And call cookie policy from app.UseCookiePolicy() right before the call to app.UseRouting() in the Configure() method in Startup.cs.

Also try to set the enable cookie settings in browser.

5. Also see if you can use XForward.Host when Using Azure Front Door with .NET Core | phillipsj.net.

6. While adding backend config in azure front door set up try to leave Backend host header field blank as it is automatically generated same as the host name and may cause issue for multiple domains.

References:

1. solving-azure-ad-sign-in-failure-with-azure-front-door
2. Asp.net Core 2.0 Identity with multiple OIDC providers

Correlation failed at signin-oidc redirect

UPDATE:
After some testing with OP, it appeared that auth cookies were blocked by NGINX because of size. Issue was resolved by changing NGINX config:
https://unix.stackexchange.com/a/605614

proxy_buffers         8 16k;  # Buffer pool = 8 buffers of 16k
proxy_buffer_size     16k;    # 16k of buffers from pool used for headers

---

Can you please check that you are able to run config below in dev? Before testing
instance behind NGINX, make sure you have registered that URL with your OpenId Connect provider.

Also check that X-Forwarded-For and X-Forwarded-Proto are passed on to your app. I've experienced problems with just that a few times after server changes.

I recommend testing this with a clean app as a proof-of-concept (POC). When POC is up and running in all enviroments, you can apply the changes to your existing code base.

In Startup.ConfigureServices

            var openIdConnectSettings = new OpenIdConnectSettings();
            Configuration.GetSection("OpenIdConnect").Bind(openIdConnectSettings);

            services.AddAuthentication(options =>
                {
                    options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                    options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
                })
                .AddCookie()
                .AddOpenIdConnect(options =>
                {
                    options.Authority = openIdConnectSettings.Authority;
                    options.ClientId = openIdConnectSettings.ClientId;
                    options.ClientSecret = openIdConnectSettings.ClientSecret;
                    options.ResponseType = OpenIdConnectResponseType.Code;
                    options.GetClaimsFromUserInfoEndpoint = true;
                    options.Scope.Add("openid");
                    options.SaveTokens = true;
                });

In Startup.Configure

        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
            app.UseCookiePolicy();
        }
        else
        {
            app.UseStatusCodePagesWithReExecute( ...

            // required in order to get https for OpenIdConnect
            // must come before app.UseAuthentication();
            var forwardedHeaderOptions = new ForwardedHeadersOptions
            {
                ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
            };
            forwardedHeaderOptions.KnownNetworks.Clear();
            forwardedHeaderOptions.KnownProxies.Clear();
            app.UseForwardedHeaders(forwardedHeaderOptions);
        }

        app.UseStaticFiles();
        app.UseRouting();
        app.UseAuthentication();
        app.UseAuthorization();

        ....

Config class

    public class OpenIdConnectSettings
    {
        public string Authority { get; set; }
        public string ClientId { get; set; }
        public string ClientSecret { get; set; }
    }

Exception: Correlation failed. Unknown location

It was mentioned as per below link that state property was missing.

But still I am not able to figure out how do I set one.

So not marking as accepted answer if someone has final answer.

https://github.com/aspnet/AspNetCore/issues/7501#issuecomment-464082989

Updated:

Below is the answer to this.

https://stackoverflow.com/a/54721271/9263418

---

Related Topics