Add SameSite attribute to the OAuth2 state cookie #112

dghubble · 2022-11-26T05:46:51Z

Add SameSite to the CookieConfig to allow configuring the SameSite attribute on the temporary state cookie used by OAuth2
Set strict mode on the DefaultCookieConfig
Set none mode on the DebugOnlyCookieConfig

* Add a SameSite field to the CookieConfig to allow configuring the SameSite attribute on the temporary state cookie used by OAuth2 * Set lax mode on the DefaultCookieConfig and DebugOnlyCookieConfig * Generally, we can't use SameSite strict for the OAuth2 temporary state cookie. Strict cookies are not sent in the requests to the callback handler because the redirect chain originated with a redirect to another domain (e.g. github, google), which is considered the referrer. Instead, lax mode must be used * Increase the temporary cookie max age from 1m to 10m to allow users longer to complete the authorization flow (e.g. login to a provider, maybe complete 2FA, review permissions, grant permission) Rel: * https://www.nogginbox.co.uk/blog/strict-cookies-not-sent-by-request * https://bugzilla.mozilla.org/show_bug.cgi?id=1453814

dghubble force-pushed the same-site branch 3 times, most recently from ead1be7 to c0ad713 Compare January 7, 2023 22:22

dghubble force-pushed the same-site branch from c0ad713 to b718922 Compare January 7, 2023 22:23

dghubble merged commit b718922 into main Jan 7, 2023

dghubble deleted the same-site branch January 7, 2023 22:26

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add SameSite attribute to the OAuth2 state cookie #112

Add SameSite attribute to the OAuth2 state cookie #112

dghubble commented Nov 26, 2022

Add SameSite attribute to the OAuth2 state cookie #112

Add SameSite attribute to the OAuth2 state cookie #112

Conversation

dghubble commented Nov 26, 2022