-
Notifications
You must be signed in to change notification settings - Fork 350
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Login fail with SameSite Cookie + iframe (i.e. MS Team Tab) #361
Comments
@ylbillyli Can you confirm that this works expected when the SameSite flags are turned off? Can you also confirm that syncing your cookie without a samesite attribute value breaks your login? This cookie should not be affected by SameSite because it's being set by the client-side (SameSite only affects those cookies created by the server). |
@stevehobbsdev Yes, I can confirm that it works perfectly with SameSite flags turned off Sorry about my bad wording, my fix does not actually "sync" the cookie. As you can see form above screenshot, there are two domains, one form MS Teams and one from ngrok to my localhost. This cookie One possible reason SameSite flag plays a role here maybe due to how MS Team embed my app and handle the auth flow in an embedded way. MS Team might also handle cookie differently. As you can see two domains in above screenshot, any chance that the cookie under the ngrok domain was being read by MS Team domain onbehave of my app then passed to my app when accessed via the Let me surface more info, when my web app is embedded in MS Team and triggering the auth flow via Microsoft Teams JavaScript client SDK. By calling I believe fixing line 21 to use local storage or update |
In that case, the workaround here might to just call Furthermore, in the current beta (
Try the above workaround of calling |
We are also experiencing a similar issue. Given I am logged in user and if I reload/revisit the app I see blank page for a minute or so with logs showing that SameSite should be none as a warning below and we get 400 response from the authorize endpoint. After a minute it makes a call to get oauth token which succeeds and lets the app through.
As mentioned in the previous comment, we have updated the react-spa file to look like this at the initialisation step.
On debugging we found that the code fails on createAuth0Client step itself. We are using a react spa, can you please help. |
@venku It's likely there are two separate issues here:
Please check out that page and figure out if your configuration is correct and you're no longer having to wait 60 seconds. If that works, and you're able to sign-in silently just fine then 1) is not an issue either. @ylbillyli Please let me know if you are continuing to have issues after implementing my suggestion, and we can get this issue closed. |
@stevehobbsdev this issue appears to be resolved with |
@grutt This is something we're adding as an option for developers that they can use provided they understand the risks of doing so, where the default mode of storage will continue to be in-memory. When using local storage, there is indeed a risk of having tokens stolen through a successful XSS attack, but that risk is not entirely mitigated by using the in-memory option either. When the beta moves into the stable branch, we will have guidance available that will help you to make a decision about which mode of storage to use in order to meet your own needs, whilst keeping you informed of the security challenges around your choice. |
@ylbillyli Closing this for now - if you have anything further you'd like us to investigate here, please feel free to continue. |
@stevehobbsdev right, I see. I was more comfortable with in-memory when assessing Auth0 as a vendor. In this case, I'm not entirely happy with the dump into localstorage as a solution. I appeared to be calling |
@grutt Regarding your concerns over in-memory vs. local storage, it's entirely optional and you must opt-in to using local storage in accordance with your requirements.
We have just merged into It hasn't made its way into the beta yet, but I expect that to happen this week. |
Description
Reproduction
chrome://flags/#same-site-by-default-cookies
, enable this option and click the Relaunch buttonEXPECT to login successfully
ACTUAL my app says I am logged out
Potential Root Cause
Tracing the code found that the
createAuth0Client
function usesstorage.ts
to check forClientStorage.get('auth0.is.authenticated')
and theClientStorage
useses-cookie
library to store this value on successful login.My Workaround
I have to save this flag to localStorage and then on app start, manually sync this value to
es-cookie
using sameSite=None and secure flag, i.e.before calling the
createAuth0Client
and now it seems to work fine.The cookie looks like this after my changes
The text was updated successfully, but these errors were encountered: