SameSite=None is always set on OpenIdConnect nonce cookie regardless if request is insecure
lyubomirr opened this issue · 10 comments
Recently, I've upgraded the Microosft.Owin.Security.OpenIdConnect
package in order to accomodate the new samesite changes. The problem I have is that the nonce cookie SameSite mode is always set to None
, even on http. This makes the browser ignore the cookie.
Can you elaborate why the implementation is like that? Is it possible for insecure requests to set the SameSite mode Lax for example, or export an option in the OpenIdConnectAuthenticationOptions
to choose the mode, or maybe even a delegate which dynamically choses your SameSite mode?
Im open to contribute if needed.
SameSite=None is required for almost all OIDC flows, which means https & secure are now required as well. An OIDC sign-in should have been using HTTPS in the past to prevent cookie highjacking, but now the browsers are forcing you to use https.
In the particular use case i'm using the implicit flow and I wanted to be able to use it also under http, because you can use the system in your own server in your own local network and didn't want to force https. But if its not possible, then I will try just to override it myself.
I run into this issue when hosting my oidc client web app on localhost using plain http not https. I guess this use case is quite common while developing a web app and launching the app directly from visual studio.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
None requires the Secure attribute in latest browser versions
OpenIdConnectAuthenticationHandler already checks for Request.IsSecure when setting the Secure flag. The handler should also check Request.IsSecure when setting the SameSite=None flag.
I'd like to suggest a simple fix. Replace
SameSite = SameSiteMode.None
with
SameSite = Request.IsSecure ? SameSiteMode.None : default
In the following two locations
@psteniusubi That's my suggestion too.
@psteniusubi SameSite=None is required for the default OIDC flows. Disabling it isn't going to work. For local testing you either need to use https or to disable the same site restrictions in Chrome via chrome://flags/
.
Local https testing is quite easy in IIS Express.
There are valid use cases that do work with the default SameSite=Lax policy for the nonce cookie.
For example OIDC authorization code flow using top-level redirects and http get method will work with SameSite=Lax policy for all cookies.
SameSite=Lax policy is not sufficient when there is an embedded resource such as iframe or a top-level redirect with http post method.
All of this is only partially relevant. Currently the browser rejects the nonce cookie because the combination of cookie flags are invalid when web app is hosted on http and not https. This invalid combination of flags is the error I'm asking to fix.
Sorry, I should have prefaced this discussion with a few points:
- This project is not in active development. We make only critical security and compatibility fixes here. All feature development has moved to ASP.NET Core.
- While we do take some community PRs, there are currently no scheduled releases in which to ship those changes.
- We advise that all authentication flows use HTTPS regardless of other considerations like development, intranets, etc..
- We already decided against making the same change in ASP.NET Core because of our HTTPS guidance. We're unlikely to make a change in this project that isn't forwards compatible with ASP.NET Core.
Your best option at the moment is to customize the behavior through the OpenIdConnectAuthenticationOptions.CookieManager
extensibility hook, that lets you adjust cookie parameters before they're written out.
Ok, thank you. That's good to know.