Angular-oauth2-oidc: Info around Chrome's SameSite Cookie Changes and changes you may need to your Authentication server

Created on 25 Dec 2019  路  5Comments  路  Source: manfredsteyer/angular-oauth2-oidc

This is not a bug or an issue on this client side library itself, but will still have high impact for many people using the silent token refresh.

Please read this:
https://www.thinktecture.com/identity/samesite/prepare-your-identityserver/

Chrome will soon (February 2020) change its default behavior of handling cookies. In the future it will require the SameSite flag to be set explicitly to None and the Secure flag to be set too, to allow the cookie to be added to certain cross-site requests. If you do that, common versions of Safari will barf about that.

To make sure all browsers are happy, you set all of the affected cookies to Secure and SameSite=None, and then you add a cookie policy (code shown above) that can override these settings and remove the SameSite flag again for browsers that don't interpret the None value correctly.

There will be two options:

  1. Authentication server vendor will fix this.
  2. Or the projects have to fix this - depending on the used solution.

This issue serves as an announcement for the period around the changes in Chrome, so we can direct any possible duplicate issues here.

announcement
Source
picture JohannesHoppe

Most helpful comment

That's a good solution. Happy New Year! 馃巻

picture JohannesHoppe on 31 Dec 2019
🎉2

All 5 comments

Hi Johannes,

can we do sth. about this in our library? For me it looks like this needs to be adjusted on server side/ in the auth server, right?

Best wishes,
Manfred

manfredsteyer picture manfredsteyer on 31 Dec 2019

Correct. But I would add some disclaimer in the README, to avoid unnecessary issues.

JohannesHoppe picture JohannesHoppe on 31 Dec 2019

A disclaimer to the README could be, but I guess this issue itself can also serve as a good point for folks to channel their questions and to close possible duplicate issues.

I've taken the liberty to reword your title and original post slightly @JohannesHoppe so the top level post clearly describes (as Manfred mentions) that this issue is here as an announcement, and for people to share anything around this issue for so far it relates to the library itself.

Otherwise, there are no apparent changes to be made to this client side library for the samesite changes to Chrome.

jeroenheijmans picture jeroenheijmans on 31 Dec 2019
👍2

That's a good solution. Happy New Year! 馃巻

JohannesHoppe picture JohannesHoppe on 31 Dec 2019
🎉2

Seems things went over pretty smoothly, without too many questions about samesite stuff in this issues list. Let's close the announcement (we'd still have it to point at if people do come up with fresh issues).

jeroenheijmans picture jeroenheijmans on 18 Feb 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jeroenheijmans picture jeroenheijmans  路  4Comments
Swissbite picture Swissbite  路  4Comments
CharlyRipp picture CharlyRipp  路  3Comments
godhar picture godhar  路  3Comments
uzzafar picture uzzafar  路  4Comments