Added call to configuration before trying to delete the cookie

Author: javiercn

src/Microsoft.AspNetCore.Authentication.OpenIdConnect/OpenIdConnectHandler.cs

@@ -929,10 +929,13 @@ private string ReadNonceCookie(string nonce)
                             var cookieOptions = new CookieOptions
                             {
                                 HttpOnly = true,
+                                Path = OriginalPathBase + Options.CallbackPath,
                                 SameSite = Http.SameSiteMode.None,
                                 Secure = Request.IsHttps
                             };
 
+                            Options.ConfigureNonceCookie?.Invoke(Context, cookieOptions);
+
                             Response.Cookies.Delete(nonceKey, cookieOptions);
                             return nonce;
                         }

src/Microsoft.AspNetCore.Authentication.Twitter/TwitterHandler.cs

@@ -87,6 +87,8 @@ protected override async Task<AuthenticateResult> HandleRemoteAuthenticateAsync(
                 Secure = Request.IsHttps
             };
 
+            Options.ConfigureStateCookie?.Invoke(Context, cookieOptions);
+
             Response.Cookies.Delete(StateCookie, cookieOptions);
 
             var accessToken = await ObtainAccessTokenAsync(requestToken, oauthVerifier);
@@ -159,6 +161,8 @@ protected override async Task HandleChallengeAsync(AuthenticationProperties prop
                 Expires = Clock.UtcNow.Add(Options.RemoteAuthenticationTimeout),
             };
 
+            Options.ConfigureStateCookie?.Invoke(Context, cookieOptions);
+
             Response.Cookies.Append(StateCookie, Options.StateDataFormat.Protect(requestToken), cookieOptions);
 
             var redirectContext = new TwitterRedirectToAuthorizationEndpointContext(Context, Scheme, Options, properties, twitterAuthenticationEndpoint);

src/Microsoft.AspNetCore.Authentication.Twitter/TwitterOptions.cs

@@ -58,6 +58,12 @@ public TwitterOptions()
         /// </summary>
         public ISecureDataFormat<RequestToken> StateDataFormat { get; set; }
 
+        /// <summary>
+        /// Gets or sets an action that can override the state cookie options before the
+        /// cookie gets added to the response.
+        /// </summary>
+        public Action<HttpContext, CookieOptions> ConfigureStateCookie { get; set; }
+
         /// <summary>
         /// Gets or sets the <see cref="TwitterEvents"/> used to handle authentication events.
         /// </summary>

src/Microsoft.AspNetCore.Authentication/RemoteAuthenticationHandler.cs

@@ -246,9 +246,13 @@ protected virtual bool ValidateCorrelationId(AuthenticationProperties properties
             var cookieOptions = new CookieOptions
             {
                 HttpOnly = true,
+                Path = OriginalPathBase + Options.CallbackPath,
                 SameSite = SameSiteMode.None,
                 Secure = Request.IsHttps
             };
+
+            Options.ConfigureCorrelationIdCookie?.Invoke(Context, cookieOptions);
+
             Response.Cookies.Delete(cookieName, cookieOptions);
 
             if (!string.Equals(correlationCookie, CorrelationMarker, StringComparison.Ordinal))