Correlation failed. at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler during OIDC authentication

c# asp.net-core asp.net-identity openid-connect azure-application-gateway

22,496

Solution 1

I have same problem, if your environment is web farm, you should use DataProtection to share key.

Solution 2

I had a similar Correlation error in Chrome but not Safari... turns out that when SameSite.None is being used you must run your custom site (even localhost) using https. That solved all my correlation woes.

Solution 3

I had the same problem, but my issue was due to my understanding of auth workflow, which was wrong. There are two callback URLs that are important, and I thought they serve the same purpose. I was so wrong.

This is defined in Startup.cs

.AddOpenIdConnect("Auth0", options =>
            {
                options.CallbackPath = new PathString("/signin-auth0");

It tells the authorisation middleware in your app, on which URL it should listen, once auth provider gets back after successful authentication. Then the middleware itself will redirect the application to the callback URL defined in your Login action (sample code is below).

After that (two days of struggle), everything started working.

public class AccountController : Controller
{
    [HttpGet]
    public async Task Login()
    {
        await HttpContext.ChallengeAsync("Auth0", new AuthenticationProperties() { RedirectUri = "/my-callback-page" });
    }
}

Solution 4

I had the same issue. I was defining multiple external endpoints for Authorization. In my case I had defined Callback Paths that were being used by multiple clients. Once I defined unique Callback Paths the problem was solved: example:

  options.Authority = …..";
.
.
  options.CallbackPath = "/signin-idsrv2"; // I already had /sign-in-idsrv

Similarly, make sure the SignedOutCallbackPaths are unique. Hope it works for you.

View more solutions

22,496

Sat Thiru

Updated on July 09, 2022

Comments

Sat Thiru almost 2 years

I am hitting this with the following combination:

Browser incognito mode (Chrome)
Application is behind Azure application gateway (no repro if it isn't). Cookie based affinity is turned OFF (default); if turned ON, seems to make repro happen more often.

Code is rather plain vanilla OIDC authN + cookies.

        services.AddAuthentication(options =>
        {
            options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
        })
        .AddAzureAd(options => {
            Configuration.Bind("AzureAd", options);
        })
        .AddCookie(p => p.SlidingExpiration = true);

I am forwarding the X-Forwarded-Proto header to the auth middleware as recommended so the redirect_uri uses the correct protocol scheme.

HANDLING IN CODE

I tried to handle the OnRemoteFailure() event, and redirect to "/Home/AuthRedirect" which is an anon page that waits for 20 secs, and then redirects to the "/" (home page). It seems to work sometimes, but not always. I am out of ideas.

WORKAROUND

Users can go to the homepage again and hit F5 until this works. It seems that each F5 gets them moving a step ahead and once the OpenID cookies are populated, everything else (I have more auth after openid finishes, via adal.js for AJAX use).
Bypass the application gateway and use the direct service fabric cluster DNS name (not acceptable as it is http).

DETAILS

System.Exception: Correlation failed.
   at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.d__12.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.d__6.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.AspNetCore.Builder.RouterMiddleware.d__4.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.AspNetCore.Builder.RouterMiddleware.d__4.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.d__7.MoveNext()

Sat Thiru almost 6 years

Can you elaborate? What does "use DataProtection to share key" mean in this context?
Sat Thiru almost 6 years

Actually I get it now. Once I added the DataProtection middleware, the issue is no longer repro. Here's my explanation: the GET call to AD happened from a Node that is different from the node that processed the POST /signin-oidc request; because the encryption/decryption keys for the cookies (nonce, I believe) are DIFFERENT between the nodes (due to lack of the DataProtection middleware), decryption fails, and hence "Correlation Failed" error. I used .AddDataProtection() and used a blob store container to host the keys xml. No more repro of the "Correlation failed" error.
BlackFox over 4 years

How do you add the DataProtection middleware?
Tassisto almost 3 years

@BlackFox in StartUp.cs file --> ConfigureServices method --> type this in: "services.AddDataProtection();"