We have a strong use case, and I’d like your suggestion on how to solve an issue we're facing.
We built a banking system using ASP.NET Core that allows users to view their accounts.
Here's how it works: we create a consent using a username and password generated by the bank. Our system sends an API request to the bank to create this consent. The bank then responds with a login URL, which we open so the user can log in and approve the consent.
After the user successfully logs in, the bank's system triggers a callback URL (which we provide). This callback contains a code that we use to exchange for access tokens.
The issue arises during this callback step. We configured our app to use SameSiteMode.Strict for cookies. As a result, when the bank redirects to our callback URL, the request doesn't include any cookies, including the authentication cookie. This means the user isn't recognized as logged in.
To fix this, we switched to SameSiteMode.None, which generally works — but occasionally, the cookies are still missing from the request.
We cannot use lax or none for cookies because cyber security will marked as VA
and we cannot make the callback action anonymous and there 6 middleware components that check the authentication and authorization for (channel token, user access token, user refresh token, device id, device type and claims, etc.)
What is the best practice for a solution to this?
I suggest to callback into real time socket - does anyone have any other solution?
Note that there is a web client and mobile application. For now, the callback is returning to a web client, but should be changed.
