[Webkit-unassigned] [Bug 188165] New: iOS 12 Safari breaks ASP.NET Core 2.1 OIDC authentication
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Jul 30 06:39:52 PDT 2018
https://bugs.webkit.org/show_bug.cgi?id=188165
Bug ID: 188165
Summary: iOS 12 Safari breaks ASP.NET Core 2.1 OIDC
authentication
Product: WebKit
Version: Safari Technology Preview
Hardware: iPhone / iPad
OS: Other
Status: NEW
Severity: Critical
Priority: P2
Component: WebCore Misc.
Assignee: webkit-unassigned at lists.webkit.org
Reporter: hajek.j at hotmail.com
When authenticating with ASP.NET Core 2.0 with OpenID Connect, the Identity cookie doesn't seem to be set when returning back from IdP which results in redirect loop. This same process works with iOS 11.
1. Visit site, access some protected resource
2. Set nonce, dedirect to IdP
3. Authenticate at IdP
4. Return back with POST request
5. Validate id_token, set identity cookie with samesite=lax policy
6. Redirect to the protected resource
7. Check for identity cookie - missing, return to step 2
I tested the same flow on PC (Edge, Firefox, Chrome) everything works fine (they all implement samesite policy - https://caniuse.com/#feat=same-site-cookie-attribute). Any idea why Safari treats this case different?
This is probably going to affect quite a lot of users accessing Microsoft's own services as well (for example https://admin.teams.microsoft.com) - once again, this site works just fine on Chrome or Edge.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180730/c42cc0f0/attachment.html>
More information about the webkit-unassigned
mailing list