K
Q

.NET Core (behind nginx) cookie auth not working on distributed system

4/20/2020

I have a .Net Core API behind an nginx kubernetes ingress, I'm talking to it via a React front-end on a different domain that I've cleared with CORS.

Sample of the relevant code in Startup.cs:

services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
                .AddJwtBearer(
                  <XXXXXX>
                ).AddCookie(options =>
                {
                    options.Cookie.HttpOnly = true;
                    options.Cookie.SecurePolicy = _env.IsDevelopment()
                      ? CookieSecurePolicy.None : CookieSecurePolicy.Always;
                    options.Cookie.SameSite = SameSiteMode.None;
                });

services.Configure<CookiePolicyOptions>(options =>
            {
                options.MinimumSameSitePolicy = SameSiteMode.None;
                options.HttpOnly = HttpOnlyPolicy.Always;
                options.Secure = _env.IsDevelopment()
                  ? CookieSecurePolicy.None : CookieSecurePolicy.Always;
            });

services.AddCors(options =>
            {
                options.AddPolicy(name: AllowWebClientOrigin,
                    builder =>
                    {
                        builder.WithOrigins("<FRONT_END_URL>")
                            .AllowAnyHeader()
                            .AllowAnyMethod()
                            .AllowCredentials();
                    });
            });
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseCors(AllowWebClientOrigin);
app.UseCookiePolicy();

app.UseEndpoints.....

The issue is that my requests are not being authenticated when I login and start making calls. I am able to log in successfully and obtain the cookie, and I'm sending the cookie with each request, I've tried both by default and as a header ("cookie").

It works locally in testing, so I'm suspecting this could be an issue located in my nginx config.

Example of a request and response in Chrome:

General:
Request URL: https://<API_DOMAIN>/account/me
Request Method: GET
Status Code: 302 
Remote Address: 45.79.60.107:443
Referrer Policy: no-referrer-when-downgrade

Response Headers:
access-control-allow-credentials: true
access-control-allow-headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization,Cookie
access-control-allow-methods: PUT, GET, POST, OPTIONS
access-control-allow-origin: https://<FRONT_END_CLIENT>
content-length: 0
date: Mon, 20 Apr 2020 16:25:16 GMT
location: https://<API_DOMAIN>/Account/Login?ReturnUrl=%2Faccount%2Fme
server: nginx/1.17.8
status: 302
strict-transport-security: max-age=15724800; includeSubDomains
vary: Origin

Request Headers:
:authority: <API_DOMAIN>
:method: GET
:path: /account/me
:scheme: https
accept: application/json, text/plain, */*
accept-encoding: gzip, deflate, br
accept-language: en-GB,en-US;q=0.9,en;q=0.8
cookie: .AspNetCore.Cookies=<COOKIE>
origin: <FRONT_END_CLIENT>
referer: <FRONT_END_CLIENT>
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: same-site
user-agent: <XXXX>```
-- Zeph Terence Sibley
.net-core
authentication
cookies
kubernetes
nginx

Similar Questions

Unable to reach backend service from frontend service in Kubernetes
Plain Flask server vs UWSGI based server on K8s for production?
Kubernetes access to Google Cloud SQL C# Connection String
How to create docker images inside minikube registry

0 Answers