[Webkit-unassigned] [Bug 188165] New: iOS 12 Safari breaks ASP.NET Core 2.1 OIDC authentication

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Jul 30 06:39:52 PDT 2018


https://bugs.webkit.org/show_bug.cgi?id=188165

            Bug ID: 188165
           Summary: iOS 12 Safari breaks ASP.NET Core 2.1 OIDC
                    authentication
           Product: WebKit
           Version: Safari Technology Preview
          Hardware: iPhone / iPad
                OS: Other
            Status: NEW
          Severity: Critical
          Priority: P2
         Component: WebCore Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: hajek.j at hotmail.com

When authenticating with ASP.NET Core 2.0 with OpenID Connect, the Identity cookie doesn't seem to be set when returning back from IdP which results in redirect loop. This same process works with iOS 11.

1. Visit site, access some protected resource
2. Set nonce, dedirect to IdP
3. Authenticate at IdP
4. Return back with POST request
5. Validate id_token, set identity cookie with samesite=lax policy
6. Redirect to the protected resource
7. Check for identity cookie - missing, return to step 2

I tested the same flow on PC (Edge, Firefox, Chrome) everything works fine (they all implement samesite policy - https://caniuse.com/#feat=same-site-cookie-attribute). Any idea why Safari treats this case different?

This is probably going to affect quite a lot of users accessing Microsoft's own services as well (for example https://admin.teams.microsoft.com) - once again, this site works just fine on Chrome or Edge.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180730/c42cc0f0/attachment.html>


More information about the webkit-unassigned mailing list