Allow setting cookie domain for the transactionCookie separately from session cookie

Question

Allow setting cookie domain for the transactionCookie separately from session cookie

Closed this issue 2 months ago · 1 comments

Checklist

I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
I have looked into the API documentation and have not found a suitable solution or answer.
I have searched the issues and have not found a suitable solution or answer.
I have searched the Auth0 Community forums and have not found a suitable solution or answer.
I agree to the terms within the Auth0 Code of Conduct.

Describe the problem you'd like to have solved

In a setup where https://site.company.com redirects to https://login.company.com login page (e.g. login.company.com is an Auth0 tenant custom domain).

Then in Safari at least the auth_verification cookie can be dropped (likely due to Safari ITP) in authorization code flow from the redirect to the callback (response_mode query). As Safari may interpret the redirect from https://login.company.com to https://site.company.com/callback as a cross-site request.

This results to the quite infamous checks.state argument is missing error in the callback handler.

Describe the ideal solution

Potential solution would be to allow setting the cookie domain for the transaction cookie separately from the session cookie domain.

In a site.company.com -> login.company.com type of setup you may not want to expose also the session cookie to the top level domain company.com. But it should fix ITP issues if the auth_verification cookie is set to the company.com domain.

Alternatives and current workarounds

You can set the cookie domain but it changes also the session cookie domain.

Another bit more crafty workaround what we have thought but not yet implemented:

app.get('/login', (req, res) =>
  await res.oidc.login({
    returnTo: '/profile',
    authorizationParams: {
      redirect_uri: 'http://localhost:3000/callback',
    },
  })
  
  const cookie = res.getHeader('Set-Cookie')

  // Store the auth_verification cookie to Redis as a backup with state as key
  // Replace the cookie in callback handling from Redis if not present in the request.
);

Additional context

Any workaround ideas or comments to those mentioned above also would be appreciated.

Answer 1 · 2024-11-12T13:12:59.000Z

Closing the issue. This was an configuration issue where the http -> https redirect was not working correctly Safari.

So the issue was reproducing in a authorization code flow:
http://site.company.com -> https://login.company.com -> https://site.company.com/callback
where auth_verification cookie was being dropped.

In correct flow from https://site.company.com -> https://login.company.com -> https://site.company.com/callback the issue does not reproduce in Safari.