Azure Application Gateway WAF blocking some requests with OpenID Connect nonce cookies

Niklas Nielsen 31 Reputation points
2021-11-10T08:41:43.057+00:00

The default rules of Azure Web Application firewall sometimes block requests containing a cookie set by Microsoft.AspNetCore.Authentication.OpenIdConnect

During challenge redirect the AuthenticationHandler sets a cookie named: .AspNetCore.OpenIdConnect.Nonce.{RandomBase64UrlEncodedBytes} containing the value "N"
It would seem that the random base64 part of the cookie name sometimes hits a "pattern" that is being blocked by the WAF. on incoming requests.

So when getting an "unlucky" nonce cookie after successful OIDC login flow is redirecting back the the application's returnUrl the request is effectively blocked by the WAF
giving a 403 forbidden response.
The OIDC flow is never ended and thus the cookie is not cleared - effectively blocking the user/client from logging in no matter how many retries unless cookies are cleared.

As these nonce's are seemingly random replicating it is rather cumbersome as it sometimes requires starting a lot of login flows before hitting an unlucky nonce value.

The problem can be circumvented by using WAF Custom rules, and whitelisting cookie named ".AspNetCore.OpenIdConnect.Nonce*" but this requires V2 SKU and a larger application gateway
Is there any other solutions to this problem using the standard WAF only?

ASP.NET Core
ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,346 questions
Azure Web Application Firewall
Accepted answer
  1. SaiKishor-MSFT 17,216 Reputation points
    2021-11-12T05:56:48.577+00:00

    @Niklas Nielsen Thank you for reaching out to Microsoft Q&A.

    I understand that you are having issues with Azure Application Gateway WAF blocking requests with OpenID connect nonce cookies and want to know how to solve this issue using a standard WAF.

    Azure Application gateway supports http/https/http2/websocket protocols.OpenID connect is not a networking protocol. The only work around for this is to either exclude the rule or use custom rules using WAF V2.

    Hope this helps. Please let us know if you have any further questions and we will be glad to assist you further. Thank you!

    Remember:

    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

    Want a reminder to come back and check responses? Here is how to subscribe to a notification.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest