[Webkit-unassigned] [Bug 188165] iOS 12 Safari breaks ASP.NET Core 2.1 OIDC authentication

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Oct 1 11:17:59 PDT 2018


https://bugs.webkit.org/show_bug.cgi?id=188165

tim.powell at veeva.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |tim.powell at veeva.com

--- Comment #7 from tim.powell at veeva.com ---
The bug appears to be that it is applying SameSite restrictions to redirects if the initial request was not considered "safe"  The two hosts in this flow are Target and IDP

In the original repro given:

1. Visit site, access some protected resource  (SameSite applies none->Target, but we aren't sending cookies)
2. Set nonce, redirect to IdP (SameSite applies Target->IDP, do not send cookies if IDP's cookies are strict, but ok if lax because GET is considered safe)
3. Authenticate at IdP (SameSite doe not apply, IDP->IDP)
4. Return back with POST request (SameSite applies IDP->Target do not send cookies because POST is considered unsafe)
5. Validate id_token, set identity cookie with samesite=lax policy (Still part of step 4...)
6. Redirect to the protected resource (SameSite does not apply, Target->Target should send cookies set in step4/5 **THIS DOES NOT HAPPEN**)
7. Check for identity cookie - missing, return to step 2

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20181001/5d8b84c4/attachment.html>


More information about the webkit-unassigned mailing list