[Webkit-unassigned] [Bug 188165] iOS 12 Safari breaks ASP.NET Core 2.1 OIDC authentication

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Sep 28 03:50:19 PDT 2018


Nicolás Sabena <nico.sabena at hotmail.com> changed:

           What    |Removed                     |Added
                 CC|                            |nico.sabena at hotmail.com

--- Comment #6 from Nicolás Sabena <nico.sabena at hotmail.com> ---
A quick note to those using ASP.Net Core 2.0: you can work around this limitation by changing the response mode from the identity provider to be a GET instead of a POST:

.AddOpenIdConnect("Auth0", options => {
    [...] // other options
    // Set response type to code and response type to query
    // to avoid the default response_mode=form_post
    // which causes issues with WebKit's handling of samesite=lax for the session cookie
    options.ResponseType = "code";
    options.ResponseMode = "query";

This should work as long as the IdP supports a query response mode (which most do). The middleware won't send response_mode=query in this case as it is the default one.
Another workaround would be removing the samesite=lax policy for the session cookie, but that would be a bad idea overall in terms of security.

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180928/3433ceb6/attachment.html>

More information about the webkit-unassigned mailing list