Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add SameSite support #39

Merged
merged 7 commits into from
Dec 3, 2019
Merged

Add SameSite support #39

merged 7 commits into from
Dec 3, 2019

Conversation

joshcanhelp
Copy link
Contributor

@joshcanhelp joshcanhelp commented Nov 21, 2019
edited
Loading

Description

When merged, this PR will add SameSite cookie support for required authentication values. Both the nonce (checked against the value in the ID token during callback) and state (checked against the value returned from the authorization server during callback) values will move from session storage to cookie storage. This allows a SameSite attribute of None to be added, as well as a Secure flag, when the response_type of form_post is used (this is the default configuration).

By default, a legacy support cookie with no SameSite attribute and no Secure flag will be set as well (this can be turned off with the legacySameSiteCookie attribute passed to the auth() configuration). This is done to support browsers that do not handle SameSite cookies set to None but has the added benefit of allowing insecure local applications to function without SSL/TLS in the interim.

Please note: The browser changes unexplained in the Web.dev article below will require all applications (including local ones) using the response_mode of form_post (default for this library) to be served over HTTPS.

Changes to follow

There are a few more changes that need to happen in this library to fully support SameSite. These will come in [a] separate PR[s]:

  • This library should not require session management to be setup by developers. Instead, we will use our own internal session, which will be cookies by default but configurable. This authentication session will use SameSite=Lax and will not provide a public API to change/add.
  • We will continue using separate cookies for the transient state and nonce values (as introduced here).
  • We need to add support for max_age (have an internal task tracking that).

References

Web.dev: SameSite cookies explained

Testing

  • This change adds test coverage for new/changed/fixed functionality

Checklist

  • All active GitHub checks for tests, formatting, and security are passing

@joshcanhelp joshcanhelp added this to the v0.6.0 milestone Nov 21, 2019
@joshcanhelp joshcanhelp added the review:medium Medium review label Nov 22, 2019
@joshcanhelp joshcanhelp marked this pull request as ready for review November 22, 2019 00:35
@joshcanhelp joshcanhelp requested a review from a team November 22, 2019 20:04
@stevehobbsdev stevehobbsdev requested review from stevehobbsdev and removed request for a team November 28, 2019 10:16
@stevehobbsdev
Copy link

@joshcanhelp Would like to pair with you on this review if that's ok.

stevehobbsdev
stevehobbsdev approved these changes Dec 3, 2019
View reviewed changes
Copy link

@stevehobbsdev stevehobbsdev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Liking the new changes :)

@joshcanhelp joshcanhelp merged commit 7050ffc into auth0:master Dec 3, 2019
@joshcanhelp joshcanhelp deleted the add-samesite-support branch December 3, 2019 21:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stevehobbsdev stevehobbsdev stevehobbsdev approved these changes

Assignees
No one assigned
Labels
CH: Added review:medium Medium review
Projects
None yet
Milestone
v0.6.0
Development

Successfully merging this pull request may close these issues.
2 participants
@joshcanhelp @stevehobbsdev