1

I am using authcodeflow with PKCE.

Using OIDC js library in the frontend, making calls to adfs getting an auth code and then calling my backend api. The backend api which calls adfs server get the access token and the backend api returns the token as a cookie to the frontend. I can see the cookie in response headers. but That cookie is not stored in browser and not getting added for subsequent requests. I have tried with samesite with all modes -> Lax, None,Strict and not setting. Is this an issue with OIDC js library or is it blocking the cookies to store in browser?

Update: Below are the observation with my analysis Since the OIdc-client-js does not have an option to set flag "withCredentials" to true for the requests. There are no cookies send in the request and response cookies are ignored for the cross origin requests.This changes are marked as enhancement and still not completed in thier github repo. https://github.com/IdentityModel/oidc-client-js/issues/1062

Is there any way to achieve with this library? or any other libraries for OIDC js

https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials

Jaikrishnan
  • 33
  • 5

1 Answers1

1

So you are issuing a cookie from an API domain that is a sibling of the WEB domain:

  • web.mycompany.com
  • api.mycompany.com
  • Cookie domain = .mycompany.com

POSSIBLE CAUSES FOR COOKIE BEING DROPPED

Maybe it is the withCredentials flag or maybe due to a lack of user gesture, since the user has not done anything explicit to navigate to api.mycompany.com, such as a browser navigation or clicking a link?

FORCING WITHCREDENTIALS

You can override the prototype like this in order to add the withCredentials property. This is a little hacky but you could limit usage based on the URL and it should let you know whether setting withCredentials resolves your problem:

let open = XMLHttpRequest.prototype.open;  
XMLHttpRequest.prototype.open = function(method, url) {  
    open.apply(this, arguments);
    this.withCredentials = true;
}

PROXYING VIA WEB DOMAIN WILL HAVE FEWER COOKIE ISSUES

In my blog post I do something similar to proxy messages containing a refresh token. I use the web's exact domain though, rather than using an API subdomain. This will never be impacted by browser restrictions.

Gary Archer
  • 22,534
  • 2
  • 12
  • 24
  • Yes,for example my front end is web.example.com and api is api.example.com. In this case both are under same domain. Yes they are different sub domain, but when my mark my domain with ".example.com', it should be workinng. I have tried and it is working as expected. the only issue is when the calls are made form oidc-client-js. Since the library does not mark the requests with "withCredentials = true". otherwise browser ignores response cookies and does not send any cookies to request. – Jaikrishnan Oct 27 '20 at 10:27
  • OK - updated my answer with a workaround you could use - interested to see if this fixes your issue .. – Gary Archer Oct 27 '20 at 23:14
  • Yes. That works. Thanks a lot for your time. But just one thing want to know, is this good practice to do and does not cause any performance or other issues?. – Jaikrishnan Oct 29 '20 at 09:10
  • It's a last resort option to unblock yourself - hopefully at some point the library authors will provide an extensibility point such as allowing you to override the OIDC Token client class - you can then remove the hack. – Gary Archer Oct 29 '20 at 13:40