Chrome plans to implement the new secure-by-default model for cookies with Chrome 80 in February 2020. Now I am testing all our applications that might be affected.
For authentication/authorization we use oidc-client (on UI) and IndentityServer on backend.
The workflow is the following:
request:
POST http://my_identity_server/api/authenticate {userName, password}
response:
Set-Cookie: idsrv=abc
{"redirectUrl":"http://my_identity_server/connect/authorize/callback?client_id=MyApplication&response_type=id_token token&scope=openid"}
request
http://my_identity_server/connect/authorize/callback?client_id=MyApplication&response_type=id_token token&scope=openid" Cookie: idsrv=abc
response:
302 Location: http://myApplication/#id_token=123&access_token=456&token_type=Bearer
request
http://myApplication/#id_token=123&access_token=456&token_type=Bearer
When application is loaded, Oidc-client adds IFrame to do silentRenew that actually sends additional requests
GET http://my_identity_server/connect/authorize?client_id=MyApplication&response_type=id_token token&prompt=none Cookie: idsrv=abc
What I don't understand why this last requests indide IFrame include idsrv cookie? The request is done inside an IFrame and it's definitely a third-party cookie. If I switch SameSite setting to "Strict" everything works as expected, cookies are not send.
If someone can explain me the case or suggest some ideas to check, would be nice! thank you!
