1

We have two SPA Application, which interact with the same IdentityProvider. We implemented the oidc-client and SSO worked fine. Now we recognized that silent authentication is not working if third party cookies are blocked, which is a big problem.

Browsers like Safari, Firefox are already blocking third party cookies by default. What is the recommended way to do the Session_Management and Access_Token Management in a SPA Application.

We don't want Users to Login again, if the Session on the IdentityProvider is still active (Session is Active for 14 days with a sliding expiration).

What are my options?

user11934885
  • 11
  • 2
  • Can you confirm that the issue is that the authentication cookie for your identity server is not being sent in a silent sign in scenario? – mackie Aug 16 '19 at 12:48
  • Cookies on the IDP don't play any part if you are using "silent refresh" aka refresh_token to get new access_tokens. – Vidmantas Blazevicius Aug 16 '19 at 15:56
  • 1
    @VidmantasBlazevicius you don't use refresh tokens in an SPA - it's a prompt=none authorize endpoint request in an iframe and thus requires the authentication cookie. – mackie Aug 16 '19 at 16:00
  • Yeah good point I should have read the post more carefully. I think this kinda breaks Implicit Flow's Silent Authentication means to be honest. I could see trying to identify if the third party cookies are enabled/disabled and at least prompting the user to let him know of the repercussions to be a reasonable approach maybe... – Vidmantas Blazevicius Aug 16 '19 at 16:05
  • @mackie I can confirm that. I think there is no way to handle this in the front channel. We try now the following approach: https://leastprivilege.com/2019/01/18/an-alternative-way-to-secure-spas-with-asp-net-core-openid-connect-oauth-2-0-and-proxykit/ – user11934885 Aug 20 '19 at 15:37
  • @user11934885 out of interest, what have you put in place that breaks this (supported) process? – mackie Aug 20 '19 at 17:05

1 Answers1

0

Based on the comments on the OP and having experimented a bit... If I set the auth cookie to SameSite=Lax then iframe-based silent calls do not work but top-level redirects are not affected. Therefore SameSite=Lax breaks OIDC and thus it's necessary to have a comprehensive CSRF solution in place instead if you wish to use the standard client side pattern.

mackie
  • 4,996
  • 1
  • 17
  • 17