Silent Renew with oidc-client cross domain, if third party cookies are blocked

1
votes

We have two SPA Application, which interact with the same IdentityProvider. We implemented the oidc-client and SSO worked fine. Now we recognized that silent authentication is not working if third party cookies are blocked, which is a big problem.

Browsers like Safari, Firefox are already blocking third party cookies by default. What is the recommended way to do the Session_Management and Access_Token Management in a SPA Application.

We don't want Users to Login again, if the Session on the IdentityProvider is still active (Session is Active for 14 days with a sliding expiration).

What are my options?

1
cross-domainidentityserver4openid-connectoidc-client-js
Can you confirm that the issue is that the authentication cookie for your identity server is not being sent in a silent sign in scenario?mackie
Cookies on the IDP don't play any part if you are using "silent refresh" aka refresh_token to get new access_tokens.Vidmantas Blazevicius
@VidmantasBlazevicius you don't use refresh tokens in an SPA - it's a prompt=none authorize endpoint request in an iframe and thus requires the authentication cookie.mackie
Yeah good point I should have read the post more carefully. I think this kinda breaks Implicit Flow's Silent Authentication means to be honest. I could see trying to identify if the third party cookies are enabled/disabled and at least prompting the user to let him know of the repercussions to be a reasonable approach maybe...Vidmantas Blazevicius
@mackie I can confirm that. I think there is no way to handle this in the front channel. We try now the following approach: leastprivilege.com/2019/01/18/…user11934885

1 Answers

0
votes

Based on the comments on the OP and having experimented a bit... If I set the auth cookie to SameSite=Lax then iframe-based silent calls do not work but top-level redirects are not affected. Therefore SameSite=Lax breaks OIDC and thus it's necessary to have a comprehensive CSRF solution in place instead if you wish to use the standard client side pattern.