Unable to generate a cookie - Duende Server

Question

I was asked to host an IdentityServer on a machine https://localhost:5001 and have custom pages for login with React.
In order to test this I made a few changes to IdentityServer and I am using real simple html files.

I can click on the login button and it redirects me to the login page that already has the ReturnUrl set and once I send the request via axios, it reaches the login controller.
The problem now is that once it returns an Ok() response with the redirect_uri, no cookie is created. There is a cookie but it does not have the access_token, refresh_token, id_token nor user info.

[HttpPost("login")]
public async Task<IActionResult> Login(string username, string password, string returnUrl)
{
    // check if we are in the context of an authorization request
    var context = await _interaction.GetAuthorizationContextAsync(returnUrl);

    if (context == null)
    {
        return Redirect("~/");
    }

    var user = await _userManager.FindByNameAsync(username);

    if(await _userManager.CheckPasswordAsync(user, password))
    {
        var claims = new List<Claim>
        {
            new("Sub", user.Id),
            new(ClaimTypes.Name, user.Email),
            new("FullName", user.Name),
            new(ClaimTypes.Role, "User")
        };

        var claimsIdentity = new ClaimsIdentity(
            claims, CookieAuthenticationDefaults.AuthenticationScheme);

        var authProperties = new AuthenticationProperties
        {
            AllowRefresh = true,
            ExpiresUtc = DateTimeOffset.UtcNow.AddMinutes(20),
            IsPersistent = true,
            IssuedUtc = DateTimeOffset.UtcNow,
        };

        await HttpContext.SignInAsync(
            CookieAuthenticationDefaults.AuthenticationScheme,
            new ClaimsPrincipal(claimsIdentity),
            authProperties);

        return Ok(context.RedirectUri);
    }

    return BadRequest("Something went wrong");
}

and the HostingExtensions.cs

    public static WebApplication ConfigureServices(this WebApplicationBuilder builder)
    {
        var migrationsAssembly = typeof(Program).Assembly.GetName().Name;
        var connectionString = builder.Configuration.GetConnectionString("EFConn");

        builder.Services.AddControllers();

        builder.Services.AddDbContext<DbContext>(opt =>
        {
            opt.UseNpgsql(connectionString, opt => opt.MigrationsAssembly(migrationsAssembly));
        });

        builder.Services.AddIdentity<User, IdentityRole>()
            .AddEntityFrameworkStores<DbContext>()
            .AddDefaultTokenProviders();

        builder.Services.AddIdentityServer(options =>
        {
            // I had to override the IReturnUrlParser class
            options.UserInteraction.LoginUrl = "https://localhost:5003/login.html";
            options.UserInteraction.ErrorUrl = "http://localhost:5001/error.html";
            options.UserInteraction.LogoutUrl = "http://localhost:8082/logout.html";

            options.EmitStaticAudienceClaim = true;

            options.Events.RaiseErrorEvents = true;
            options.Events.RaiseFailureEvents = true;
            options.Events.RaiseInformationEvents = true;
            options.Events.RaiseSuccessEvents = true;
        })
        .AddConfigurationStore(options =>
        {
            options.ConfigureDbContext = b => b.UseNpgsql(connectionString,
                sql => sql.MigrationsAssembly(migrationsAssembly));
        })
        .AddOperationalStore(options =>
        {
            options.ConfigureDbContext = b => b.UseNpgsql(connectionString,
                sql => sql.MigrationsAssembly(migrationsAssembly));
        })
        .AddAspNetIdentity<User>();

        builder.Services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
        .AddCookie(options =>
        {
            options.ExpireTimeSpan = TimeSpan.FromMinutes(20);
            options.SlidingExpiration = true;
            options.AccessDeniedPath = "/Forbidden/";
        });

        var cors = new DefaultCorsPolicyService(new  LoggerFactory().CreateLogger<DefaultCorsPolicyService>()){ AllowAll = true };

        builder.Services.AddSingleton<ICorsPolicyService>(cors);
        builder.Services.AddTransient<IReturnUrlParser, ReturnUrlParser>();

        builder.Services.AddCors(options =>
        {
            // this defines a CORS policy called "default"
            options.AddPolicy("default", policy =>
            {
                policy
                  .WithMethods("GET", "POST", "PATCH", "DELETE", "OPTIONS")
                  .AllowAnyHeader()
                  .WithOrigins("https://localhost:5003");
            });
        });

        return builder.Build();
    }

    public static WebApplication ConfigurePipeline(this WebApplication app)
    {
        app.UseSerilogRequestLogging();

        if (app.Environment.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
        }

        InitializeDatabase(app);

        app.UseCors("default");

        app.UseStaticFiles();
        app.UseRouting();

        app.UseIdentityServer();

        app.MapControllers();

        return app;
    }

The only thing that I get on the browser is this aspnet cookie: The result - img

I've searched for so long and still can't find anyone that has tried to do the same.

Answer 1

your cookie wont have access token or id token. Once user signed in, claims will be added and save in cookies. In next request if claims are set and user is authticate, then you will get access token/id token. If you want to change the name of cookie then you are can following properties in your "AddIdentityServer" method

 options.Authentication.CookieSlidingExpiration = true;
 options.Authentication.CookieLifetime = TimeSpan.FromMinutes(45);
 options.Authentication.CheckSessionCookieName = "mycookiename";