I have a .Net Core API behind an nginx kubernetes ingress, I'm talking to it via a React front-end on a different domain that I've cleared with CORS.
Sample of the relevant code in Startup.cs:
services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
.AddJwtBearer(
<XXXXXX>
).AddCookie(options =>
{
options.Cookie.HttpOnly = true;
options.Cookie.SecurePolicy = _env.IsDevelopment()
? CookieSecurePolicy.None : CookieSecurePolicy.Always;
options.Cookie.SameSite = SameSiteMode.None;
});
services.Configure<CookiePolicyOptions>(options =>
{
options.MinimumSameSitePolicy = SameSiteMode.None;
options.HttpOnly = HttpOnlyPolicy.Always;
options.Secure = _env.IsDevelopment()
? CookieSecurePolicy.None : CookieSecurePolicy.Always;
});
services.AddCors(options =>
{
options.AddPolicy(name: AllowWebClientOrigin,
builder =>
{
builder.WithOrigins("<FRONT_END_URL>")
.AllowAnyHeader()
.AllowAnyMethod()
.AllowCredentials();
});
});
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseCors(AllowWebClientOrigin);
app.UseCookiePolicy();
app.UseEndpoints.....
The issue is that my requests are not being authenticated when I login and start making calls. I am able to log in successfully and obtain the cookie, and I'm sending the cookie with each request, I've tried both by default and as a header ("cookie").
It works locally in testing, so I'm suspecting this could be an issue located in my nginx config.
Example of a request and response in Chrome:
General:
Request URL: https://<API_DOMAIN>/account/me
Request Method: GET
Status Code: 302
Remote Address: 45.79.60.107:443
Referrer Policy: no-referrer-when-downgrade
Response Headers:
access-control-allow-credentials: true
access-control-allow-headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization,Cookie
access-control-allow-methods: PUT, GET, POST, OPTIONS
access-control-allow-origin: https://<FRONT_END_CLIENT>
content-length: 0
date: Mon, 20 Apr 2020 16:25:16 GMT
location: https://<API_DOMAIN>/Account/Login?ReturnUrl=%2Faccount%2Fme
server: nginx/1.17.8
status: 302
strict-transport-security: max-age=15724800; includeSubDomains
vary: Origin
Request Headers:
:authority: <API_DOMAIN>
:method: GET
:path: /account/me
:scheme: https
accept: application/json, text/plain, */*
accept-encoding: gzip, deflate, br
accept-language: en-GB,en-US;q=0.9,en;q=0.8
cookie: .AspNetCore.Cookies=<COOKIE>
origin: <FRONT_END_CLIENT>
referer: <FRONT_END_CLIENT>
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: same-site
user-agent: <XXXX>```