I have a problem where my identity server works great with no problems logging in users on desktop computers. However when i go to the webpage on a mobile app and log in I get a constant redirect situation.

It goes to the identity server the first time, I log in, and then when it redirects back to the app it automatically redirects back to identity server and back and forth.

If I stop the redirection (by hitting the stop button on the browser) then go to my site I am already logged in now.

I am using IdentityServer3 and Asp.Net Core.

The logs for the identity server show no error and successful logins. This happens if I log in with an external provider or a custom provider.

I thought it was something with safari but i installed chrome on my phone and it does the same thing.

I did some research and I don't think it is a http/https problem and I can not add the Session_start because it doesn't exist in core.

Can anyone think of a reason the mobile app would not work while the desktop app works fine? Any suggestions on any other logs i can check or things i can try?

public void ConfigureServices(IServiceCollection services)
{
    services.AddAuthentication(options =>
    {
        options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
        options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
        options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
        options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    })
    .AddCookie(options =>
    {
        options.LoginPath = new PathString("/Login/Login/");
        options.AccessDeniedPath = new PathString("/Login/Login/");
    })
    .AddOpenIdConnect(options =>
    {
        options.Authority = _authenticationServer;
        options.ClientId = "...";
        options.ResponseType = "id_token";
        options.Scope.Add("openid");
        options.Scope.Add("email");
        options.Scope.Add("profile");
        options.UseTokenLifetime = false;

        options.TokenValidationParameters = new TokenValidationParameters
        {
            NameClaimType = "name",
            ValidateIssuer = false,
        };
        options.Events = new OpenIdConnectEvents
        {
            OnTokenValidated = context =>
            {
                ...
                return Task.CompletedTask;
            }
        };
    });

    services.AddMvc(config =>
    {
        var policy = new AuthorizationPolicyBuilder()
                            .RequireAuthenticatedUser()
                            .Build();
        config.Filters.Add(new AuthorizeFilter(policy));
    })
    .AddJsonOptions(options =>
            options.SerializerSettings.ContractResolver = new DefaultContractResolver());

    services.AddSingleton<IHttpContextAccessor, HttpContextAccessor>();
    services.AddSingleton(Configuration);
    services.AddMemoryCache();
    services.AddSession();
    services.AddKendo();
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
    if (env.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
    }
    else
    {
        app.UseExceptionHandler("/Home/Error");
        app.UseHsts();
    }
    app.UseStaticFiles();
    app.UseSession();
    app.UseAuthentication();

    app.UseMvc(routes =>
    {
        routes.MapRoute(
                name: "default",
                template: "{controller=Home}/{action=Index}/{id?}");
    });
}

UPDATE:

I verified that this is only a problem on the iPhone. Android works fine. I also verified this is a problem with a .Net Core client app. A .Net standard client app works fine.

My authorize endpoint gets called in an endless loop.

Has anyone successfully set up a .Net core client app against identity server and have it working through an iphone browser? Any help?!?

I have a workaround to get past this error I wanted to post in case anyone else runs into this problem.

I suspect that anyone trying to use OpenIdConnect with Asp.Net Core (not sure it has to be IdentityServer) will get this logging in on an iPhone.

This is just a workaround until I can find out exactly why it is redirecting. I hook into the redirect event and check if there is an origin header. The first time it redirects to identity server the origin is set but the second time its not set. If it is not set I check if it is a mobile phone. If so I stop the default action (constant redirect) and go directly to my url.

This works because the user actually gets logged in successfully even though it redirects. That's why this is so strange.

options.Events = new OpenIdConnectEvents
{
    OnRedirectToIdentityProvider = x =>
    {
        if (!string.IsNullOrWhiteSpace(x.Request.Headers["Origin"]))
        {
            string userAgent = x.Request.Headers["User-Agent"];
            if (IsMobileBrowser(userAgent))
            {
                x.HandleResponse();
                x.Response.Redirect(<url>);
            }
        }
        return Task.CompletedTask;
   },

This sounds a lot like the same problem I had (Guidance required diagnosing infinite loop authenticating on ios (safari and chrome) with identity server 4). In my case it's a problem only on iphone and related to IOS12. Details of a work around are here:

GitHub aspnet core issue 4647

It's most likely a cookie storage problem. There are limits for cookie size that vary from browser to browser.

1. After successful login browser gets redirected
2. Server tries to set the cookie
3. If cookie size exceeds the limit, browser gives a warning in the console, that cookie will be ignored
4. Page reloads, but there is no authentication cookie set, so browser gets redirected to the login page
5. Often "remember me" option is enabled, so cycle begins with step 1

Try to reduce the cookie size.