Daniel Becroft

The issue looks to be that the `AccountEmails` model is defined as an array, but it's an array of an unnamed type: ``` AccountEmails: type: "array" items: type: "object" properties:...

> > expires=Thu, 01 Jan 9170 > > 😕 > > I'm assuming that's a typo for 1970? We should look at how we're generating these cookies. @Tratcher PTAL. Yeah,...

Hey @Tratcher , thanks for the response. I'll try and capture a trace when we get the issue (it's very sporadic, and the symptoms that we're seeing now doesn't match...

@Tratcher We're using an in-house OAuth identity server, but using the `.AddOAuth()` extension from `Microsoft.AspNetCore.Authentication.OAuth`, combined with `cookie` authentication, in a BFFE model . Our configuration code for the various...

Hi @HaoK , I've tried to enable load balancing on a duplicate environment, and it occasionally fails with the same result (but not always), so load balancing might be a...

@Tratcher No, we only have a single `.AddCookies()` and `.AddOAuth()` call in our configuration.

Hi @Tratcher , sorry we're currently running .NET 5 in production (upgrading to .NET 6 in development at the moment). Once we've pushed v6 into production, we'll try and observe...

One interesting observation from the failing requests (only 2 today), the `/signin-oidc` call after the authentication is still sending the old `__Host-supermateWeb` cookie in the header. Login and timeout flows...

> What are the attributes on __Host-myApplication when it's created? E.g. if it has a Strict SameSite setting then it won't be included after a remote login flow. It would...

Hi @Tratcher , I think the core of the problem is that we are expiring the _authentication ticket_ portion of the cookie, but not removing the cookie itself. This leaves...