[Webkit-unassigned] [Bug 219150] Safari does not allow first-party JS cookie to be set after SSO flow
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Nov 19 23:44:35 PST 2020
https://bugs.webkit.org/show_bug.cgi?id=219150
--- Comment #4 from Lukas Röllin (Swisscom) <lukas.roellin at swisscom.com> ---
Hi John
Ok, yes I did indeed do an experiment to check the interactions, but it didn't work.
Yes you are correct. Regarding the top frame, you're talking about iframes etc? We do not employ any of those.
Two things to note:
- Our app is an SPA
- We can use Chrome on Mac, or Safari 13 on Mac (Mojave) fine, as some counterpoints.
1. User goes to our page, clicks on login button
2. User is sent to SSO flow (via window.open(ssoSite, '_self')
3. SSO flow eventually calls us back with the credentials necessary for us to log him in (sends the user to a specified URL)
4. We use those against our backend, and get a session token (valid in our backend's realm) back
5. We store that session token via document.cookie, among other similar tokens
These are not stored.
If however, you swap steps 1-3 with a hidden form where the devs can enter a session token directly, and swap step 4 with a simplified step of simply checking the validity, it works (the cookies are stored). Note that in this case, the user never leaves our page.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20201120/f5c1be27/attachment-0001.htm>
More information about the webkit-unassigned
mailing list