Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Honor configured sameSite in transient cookies so you can login to iframe using 'none' #571

Merged
merged 1 commit into from
Jan 6, 2022
Merged

Honor configured sameSite in transient cookies so you can login to iframe using 'none' #571

merged 1 commit into from
Jan 6, 2022

Conversation

adamjmcgrath
Copy link
Contributor

@adamjmcgrath adamjmcgrath commented Jan 6, 2022
edited
Loading

Description

Honor the SameSite configuration (which defaults to 'lax') when setting the transient nonce/state cookies.

This will allow users to login to iframes over https when using the AUTH0_COOKIE_SAME_SITE config set to 'none'

References

Same as auth0/express-openid-connect#188
fixes #541

Testing

Tested by logging in to auth0 from an iframe in https://codepen.io/adamjmcgrath/pen/bGoKBMW

Checklist

  • I have added documentation for new/changed functionality in this PR or in auth0.com/docs
  • All active GitHub checks for tests, formatting, and security are passing
  • The correct base branch is being used, if not main

@adamjmcgrath adamjmcgrath added the review:small Small review label Jan 6, 2022
@adamjmcgrath adamjmcgrath requested a review from a team as a code owner January 6, 2022 10:27
@vercel
Copy link

vercel bot commented Jan 6, 2022

This pull request is being automatically deployed with Vercel (learn more).
To see the status of your deployment, click below or on the icon next to each commit.

🔍 Inspect: https://vercel.com/auth0/nextjs-auth0/49Jo6WCjoszgAb3qZmm5ewwpWAd7
✅ Preview: Canceled

@adamjmcgrath adamjmcgrath merged commit d3cfc71 into main Jan 6, 2022
@adamjmcgrath adamjmcgrath deleted the transient-samesite branch January 6, 2022 11:15
@adamjmcgrath adamjmcgrath mentioned this pull request Jan 6, 2022
Merged
@richardscarrott
Copy link

I'm guessing this doesn't solve the issue for browsers which disable now 3rd party cookies, e.g. Chrome in incognito and Safari 🤔?

@adamjmcgrath
Copy link
Contributor Author

@richardscarrott - for login to work with Safari's ITP (or Chrome Incognito) you'd need to use Custom Domains (In these cases the default Lax SameSite would suffice)

@richardscarrott
Copy link

@adamjmcgrath thanks for the reply, we're actually already using custom domains, however we want users to be able to login within our Shopify app, whereby our site is rendered in an iframe within the Shopify admin site so our domain is still considered 3rd party.

I don't suppose you know if Auth0 has any cookie-less solutions to login?

@adamjmcgrath
Copy link
Contributor Author

Hi @richardscarrott

We don't recommend this flow except for highly trusted applications, but if your app is in a 3rd party iframe and you need to support Safari, you have little choice but the resource owner password grant (see https://auth0.com/docs/get-started/authentication-and-authorization-flow/resource-owner-password-flow)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Widcket Widcket Widcket approved these changes

Assignees
No one assigned
Labels
review:small Small review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Checks.state argument is missing when trying to sign in inside an IFrame
3 participants
@adamjmcgrath @richardscarrott @Widcket