[Webkit-unassigned] [Bug 188165] iOS 12 Safari breaks ASP.NET Core 2.1 OIDC authentication
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Sep 28 03:50:19 PDT 2018
https://bugs.webkit.org/show_bug.cgi?id=188165
Nicolás Sabena <nico.sabena at hotmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |nico.sabena at hotmail.com
--- Comment #6 from Nicolás Sabena <nico.sabena at hotmail.com> ---
A quick note to those using ASP.Net Core 2.0: you can work around this limitation by changing the response mode from the identity provider to be a GET instead of a POST:
.AddOpenIdConnect("Auth0", options => {
[...] // other options
// Set response type to code and response type to query
// to avoid the default response_mode=form_post
// which causes issues with WebKit's handling of samesite=lax for the session cookie
options.ResponseType = "code";
options.ResponseMode = "query";
};
This should work as long as the IdP supports a query response mode (which most do). The middleware won't send response_mode=query in this case as it is the default one.
Another workaround would be removing the samesite=lax policy for the session cookie, but that would be a bad idea overall in terms of security.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180928/3433ceb6/attachment.html>
More information about the webkit-unassigned
mailing list