search

AzureAD / microsoft-authentication-library-for-js

Microsoft Authentication Library (MSAL) for JS
http://aka.ms/aadv2
MIT License
3.67k stars 2.65k forks source link

Implicit flow silent authentication iFrame - Third party cookies blocked #2200

Closed kunalkankariya closed 4 years ago

kunalkankariya commented 4 years ago

Please follow the issue template below. Failure to do so will result in a delay in answering your question.

Library

Description

I need some clarification with scenarios where third party cookies are blocked in implicit flow.

When the hidden iframe is loaded with the source as the authorization server's endpoint, login.microsoftonline.com, in our case, why isn't it able to access cookies that were set by the same domain earlier when third party cookies are blocked?

The iframe is trying to read cookies that were set by the same domain right?

Third party cookies block only incoming cookies from a different domain or does it also prevent iframe from accessing any cookies (irrespective of the domain, same or not)?

Also, when the attempt to silently authenticate fail the browser opens the login popup and uses a cookie to indicate the session is alive. Which cookie is that specifically ( ESTSAUTHPERSISTENT,ESTSAUTH)? Is it a combination?

Thank you so much in advance :)

hectormmg commented 4 years ago

Hi @kunalkankariya .

When the hidden iframe is loaded with the source as the authorization server's endpoint, login.microsoftonline.com, in our case, why isn't it able to access cookies that were set by the same domain earlier when third party cookies are blocked?

The iframe is trying to read cookies that were set by the same domain right?

Cookies can be read and set either in a first-party context, i.e. where the domain is loaded in the top frame or a pop up, or in a third-party context, i.e. inside of an iframe inside a different domain. Privacy protection features such as Safari ITP prevent those cookies from being shared (i.e. cookies set for a given domain in a first-party context are not available when that domain is used in a third-party context).

You may find our docs on handling Safari ITP, the MDN docs on HTTP Cookies, and the Webkit blog on Privacy helpful.

Which cookie is that specifically ( ESTSAUTHPERSISTENT,ESTSAUTH)? Is it a combination?

We use a few different cookies to track login state (such as the ones you list here).

kunalkankariya commented 4 years ago

Thanks @technical-boy

cookies set for a given domain in a first-party context are not available when that domain is used in a third-party context

The domain open inside the iframe (third party context) can set cookies right? Can these cookies be accessible by the same domain in first party context? (vice-versa of the point above)

hectormmg commented 4 years ago

@kunalkankariya no, cookie storage is segmented. This means third-party cookie access is blocked for both scenarios.

kunalkankariya commented 4 years ago

@technical-boy Thank you!