How to fix the Chrome login issue for the IdentityServer4

Introduction

When you use HTTP on your Identity Server 4 enabled website, users may not login because of the changes made by Chrome in the version 8x. This occurs when you use HTTP schema in your website. The issue is explained here https://docs.microsoft.com/en-gb/dotnet/core/compatibility/3.0-3.1#http-browser-samesite-changes-impact-authentication

How to solve it?

Step-1

Create the below extension in your *.Web project.

using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Http;
using Microsoft.Extensions.DependencyInjection;

namespace Microsoft.Extensions.DependencyInjection
{
    public static class SameSiteCookiesServiceCollectionExtensions
    {
        public static IServiceCollection AddSameSiteCookiePolicy(this IServiceCollection services)
        {
            services.Configure<CookiePolicyOptions>(options =>
            {
                options.MinimumSameSitePolicy = SameSiteMode.Unspecified;
                options.OnAppendCookie = cookieContext => 
                    CheckSameSite(cookieContext.Context, cookieContext.CookieOptions);
                options.OnDeleteCookie = cookieContext => 
                    CheckSameSite(cookieContext.Context, cookieContext.CookieOptions);
            });

            return services;
        }
        
        private static void CheckSameSite(HttpContext httpContext, CookieOptions options)
        {
            if (options.SameSite == SameSiteMode.None)
            {
                var userAgent = httpContext.Request.Headers["User-Agent"].ToString();
                if (!httpContext.Request.IsHttps || DisallowsSameSiteNone(userAgent))
                {
                    // For .NET Core < 3.1 set SameSite = (SameSiteMode)(-1)
                    options.SameSite = SameSiteMode.Unspecified;
                }
            }
        }

        private static bool DisallowsSameSiteNone(string userAgent)
        {
            // Cover all iOS based browsers here. This includes:
            // - Safari on iOS 12 for iPhone, iPod Touch, iPad
            // - WkWebview on iOS 12 for iPhone, iPod Touch, iPad
            // - Chrome on iOS 12 for iPhone, iPod Touch, iPad
            // All of which are broken by SameSite=None, because they use the iOS networking stack
            if (userAgent.Contains("CPU iPhone OS 12") || userAgent.Contains("iPad; CPU OS 12"))
            {
                return true;
            }

            // Cover Mac OS X based browsers that use the Mac OS networking stack. This includes:
            // - Safari on Mac OS X.
            // This does not include:
            // - Chrome on Mac OS X
            // Because they do not use the Mac OS networking stack.
            if (userAgent.Contains("Macintosh; Intel Mac OS X 10_14") && 
                userAgent.Contains("Version/") && userAgent.Contains("Safari"))
            {
                return true;
            }

            // Cover Chrome 50-69, because some versions are broken by SameSite=None, 
            // and none in this range require it.
            // Note: this covers some pre-Chromium Edge versions, 
            // but pre-Chromium Edge does not require SameSite=None.
            if (userAgent.Contains("Chrome/5") || userAgent.Contains("Chrome/6"))
            {
                return true;
            }

            return false;
        }
    }
}

Step-2

Assume that your project name is Acme.BookStore. Then open AcmeBookStoreWebModule.cs class.

Add the following line to ConfigureServices() method.

 context.Services.AddSameSiteCookiePolicy(); // cookie policy to deal with temporary browser incompatibilities

Step-3

Go toOnApplicationInitialization() method in AcmeBookStoreWebModule.cs add app.UseCookiePolicy();

public override void OnApplicationInitialization(ApplicationInitializationContext context)
{
        var app = context.GetApplicationBuilder();
        var env = context.GetEnvironment();

        if (env.IsDevelopment())
        {
                app.UseDeveloperExceptionPage();
        }
        else
        {
                app.UseErrorPage();
                app.UseHsts();
        }

        app.UseCookiePolicy(); // added this, Before UseAuthentication or anything else that writes cookies.
	
	//....
}

It's all! You are ready to go!

Attention: This problem can't be solved if the user/browser/operating system blocked third-party cookies.

Block-Third-Party-Cookies


Referenced from https://devblogs.microsoft.com/aspnet/upcoming-samesite-cookie-changes-in-asp-net-and-asp-net-core/

Jack 182 weeks ago

Awesome, thanks so much! It blocks me for so long time.

Alper Ebiçoğlu 172 weeks ago

great!

3
Massimiliano Rizzuto 172 weeks ago

Thanks! You saved my life ;-)

Alper Ebiçoğlu 172 weeks ago

I'm glad

2 2 5
jasondaly5000@gmail.com 154 weeks ago

I tried this but still no redirect. The redirect is fine in non-Chrome browsers (i.e. Firefox). Chrome version is Version 91.0.4472.124 (Official Build) (64-bit) on Windows 10.

stefanivovic91@gmail.com 147 weeks ago

i am here to say hell yeah. after 3 days of trying to figure this out (heroku deploy). u saved my sanity :)

menxin@gmail.com 134 weeks ago

great job!

Yousef Hussein 121 weeks ago

great job! Thank you

273168121@qq.com 97 weeks ago

u save my life.

cetin.sahin 24 weeks ago

we used 3 subdomain for uı, api, and auth. 3 subdomains have https . user change auth server lang. but blazor ıu not change Auth server language. How can we change cookies domain auth server and blazor server uı