[Webkit-unassigned] [Bug 188165] iOS 12 Safari breaks ASP.NET Core 2.1 OIDC authentication

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Oct 3 16:00:47 PDT 2018


Matt W <matt at nextdoor.com> changed:

           What    |Removed                     |Added
                 CC|                            |matt at nextdoor.com

--- Comment #10 from Matt W <matt at nextdoor.com> ---
Just like Lode has reported, we see this problem with OpenIDC flows through Nginx (effectively using this example https://github.com/zmartzone/lua-resty-openidc#sample-configuration-for-passing-bearer-oauth-20-access-tokens-as-cookie) using Okta as our authentication provider.

The flow is using request_type=code and request_mode=query (so a GET request with query parameters) and it seems that Safari on iOS12/Mojave decides the site is insecure and will not pass the session cookie back to the Nginx server. Per all the other comments, removing Samesite entirely from our cookie does solve the problem - but obviously that is not a realistic solution.

It seems to me that while blocking the cookie on POST (request_mode=form_post) to the client server makes sense, blocking on the GET doesn't at all.. this completely breaks OpenIDC flows pretty much all around.

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20181003/7dd906c1/attachment.html>

More information about the webkit-unassigned mailing list