SameSite cookie config not respected by skipSilentLogin cookie

[andreasenberg]

Describe the problem

An application embedded within an iframe gets stuck in a redirect loop when attempting to do silent log in and user is not logged in at IDP.

The issue seems to be related to the fact that the skipSilentLogin cookie is missing a same site attribute and thus is defaulted to Lax by the browser. As the application is embedded within an iframe this cookie will be blocked and not sent to the application backend causing another silent log in attempt.

What was the expected behavior?

Silent log in should be attempted once and not on subsequent page requests.

I was expecting the skipSilentLogin cookie to honor the sameSite attribute from config.session.cookie.sameSite. That is unless there is a good reason not to, if so help me understand why.

I've forked the repository myself to see if changes to pickup the sameSite config for skipSilentLogin will solve this issue and it seems to be the case.

Reproduction

A reproduction would look something like this

1. Have an application embedded within an iframe, in our case this is an app embedded within Teams.
2. Make sure the user is not logged in at the IDP (as this will trigger additional attempts to log in)
3. Access the application in a way that would trigger a silent log in and where it should end up on the same path after log in.
4. Observe the redirects from the page in 3) -> auth endpoint (for silent log in) -> callback with error (as user is not logged in)
5. A too many redirects error will be shown in the browser.

Environment

• Version of this library used: 2.5.2
• Any other relevant information you think would be useful: Issue detected in Chrome Version 97.0.4692.71 but I suspect all Chrome versions where SameSite is defaulted to Lax will result in this behaviour.

[antonhedstrom]

+1

[linuws]

Yes, this would be great to get in place! Can we get a PR up with the mentioned fix in the original issue or do we have any other input from the core maintainers of the project? Thanks

[adamjmcgrath]

Hi @linuws @antonhedstrom @andreasenberg

Have raised a pr #317

You can test it out by installing npm i "auth0/express-openid-connect#iframe-skip-silent-login"

[linuws]

Hi @adamjmcgrath and thank you very much for looking into this. I have testet and verified that it worked. I can see the settings being present in the cookie and there is no redirect-loop anymore. 👍

[adamjmcgrath]

Great - thanks @linuws! Once #317 is merged I'll do a release and update this thread.

[andreasenberg]

Hi @adamjmcgrath. Thank you for looking into this, appreciate it! Looking forward to that release! 🙂

Thanks @linuws for your help testing the provided fix.

[adamjmcgrath]

No problem - this got released in https://github.com/auth0/express-openid-connect/releases/tag/v2.6.0