ServiceM.47051 (Customer) asked a question.
Hi!
I am struggling with an issue that seems to be hard to troubleshoot:
The application I am referring to authenticates users to a financial application. In the Okta portal, the application is configured as Open ID Connect with Authorization Code. The URI where Okta is sending the authn response is configured correctly. We are hosting the Okta sign-in widget as part of the application.
The application resides on several web servers behind a load balancer. Ever since we went live with our authentication, we had to enable session affinity to make sure that every request pertaining to the same authentication would be routed to the same web server where the authentication originated. This setup worked well for a while until we started to utilize services from Akamai to protect our applications from malicious traffic. Ever since users have been accessing our authentication via the Akamai edge servers, we have been seeing the occasional "Correlation Failed" exception. If I had to put a number on it, I would say it's far less than 1% of all authentications. The problem became worse when we tried to introduce a feature from Akamai that reduces the number of servers from Akamai to go to Origin (Okta and our web application). This was needed to facilitate some sign-on policy rules to work correctly by being able to list all Amakai edge servers as proxies. The Akamai service that facilitates this is called SiteShield.
Having googled the "Correlation Failed" exception in conjunction with oauth, it seems that this is a pretty common problem where the IDP callback to the `.../authorization-code/callback` endpoint results in dotnet core not being able to correlate the request to the original authn request because of some reason. We initially thought that using data protection would solve the problem in case our load balancer was somehow routing callback to the wrong server - maybe because of some header changes that Akamai was introducing. Even after adding data protection (all servers use the same secret to en/de-crypt cookies), the problem still existed.
I was wondering if anybody else had encountered this problem or had any idea how to troubleshoot it. Our application setup follows the recommendations by Okta.
Thanks for any pointers anybody might be able to provide.
@NateB.84026 (Customer) I'm sorry to ping you directly - I saw that you had commented on a dev forum thread with a similar topic before (https://devforum.okta.com/t/asp-net-core-correlation-failed-error-message/3563). I was wondering if you had any troubleshooting tips, by chance. Thanks in advance!
If i am not mistaken we are experiencing this same issue
Hi @DemetriusD.24811 (Customer) ,
Did you happen to be able to solve the problem?
Thanks!
Stephan
After 3 months, has there been any updates to this? We get the same error.
If you are not already using Data Protection, make sure you do. If you are, look into whether it's working as expected. To be safe, set the application name.
For a dotnet core app:
services.AddDataProtection()
.SetApplicationName("MyAuthApp")
...;
By default the absolute path on each server is used to set the common denominator between each box your app is running on. If the path is slightly different, then DataProtection will not work, and you might see more Correlation errors.
Yeah still getting that error. I wonder if it's because I'm not using https on the development server.