Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable SameSite for AzureAd and B2C cookies #9115

Closed
Tratcher opened this issue Apr 5, 2019 · 1 comment
Closed

Disable SameSite for AzureAd and B2C cookies #9115

Tratcher opened this issue Apr 5, 2019 · 1 comment
Assignees
@Tratcher
Labels
accepted This issue has completed "acceptance" testing (including accessibility) area-auth Includes: Authn, Authz, OAuth, OIDC, Bearer bug This issue describes a behavior which is not expected - a bug. Done This issue has been fixed
Milestone
3.0.0-preview6

Comments

@Tratcher
Copy link
Member

Tratcher commented Apr 5, 2019

RE: #4647

We've disabled SameSite for many OAuth/OIDC scenarios, but we haven't done it for the cookies added by AddAzureAd and AddAzureAdB2C.

The workaround for these scenarios is not discoverable:

services.Configure<CookieAuthenticationOptions>(AzureADDefaults.CookieScheme, options =>
{
  options.Cookie.SameSite = SameSiteMode.None;
});

The fix would go here:
https://github.com/aspnet/AspNetCore/blob/258d34e3828a1870a16d13cd3c62d1b7a65acc4a/src/Azure/AzureAD/Authentication.AzureAD.UI/src/AzureADCookieOptionsConfiguration.cs#L31
@Tratcher Tratcher added bug This issue describes a behavior which is not expected - a bug. area-auth Includes: Authn, Authz, OAuth, OIDC, Bearer labels Apr 5, 2019
@Eilon Eilon added this to the 3.0.0-preview6 milestone Apr 11, 2019
Tratcher added a commit that referenced this issue May 15, 2019
@Tratcher
Disable SameSite for AzureAd and B2C cookies #9115
74780f6
@Tratcher Tratcher mentioned this issue May 15, 2019
Merged
Tratcher added a commit that referenced this issue May 16, 2019
@Tratcher
Disable SameSite for AzureAd and B2C cookies #9115 (#10280)
7db16f1
@Tratcher Tratcher added the Done This issue has been fixed label May 16, 2019
@Tratcher Tratcher mentioned this issue May 16, 2019
Closed
@Tratcher
Copy link
Member Author

Tratcher commented Jun 4, 2019

Verified using SDK 3.0.100-preview6-012234

@Tratcher Tratcher added the accepted This issue has completed "acceptance" testing (including accessibility) label Jun 4, 2019
@ghost ghost locked as resolved and limited conversation to collaborators Dec 3, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@Tratcher Tratcher

Labels
accepted This issue has completed "acceptance" testing (including accessibility) area-auth Includes: Authn, Authz, OAuth, OIDC, Bearer bug This issue describes a behavior which is not expected - a bug. Done This issue has been fixed
Projects
None yet
Milestone
3.0.0-preview6
Development

No branches or pull requests
2 participants
@Eilon @Tratcher