search

OrchardCMS / OrchardCore

Orchard Core is an open-source modular and multi-tenant application framework built with ASP.NET Core, and a content management system (CMS) built on top of that framework.
https://orchardcore.net
BSD 3-Clause "New" or "Revised" License
7.43k stars 2.4k forks source link

Consider using the default same-site mode in the OpenID module #6033

Closed kevinchalet closed 4 years ago

kevinchalet commented 4 years ago

To allow SPAs to use silent authorization requests (i.e prompt=none requests sent in an iframe), the OpenID module currently disables the same-site feature, that would prevent the Orchard authentication cookie from being sent as part of the iframe request.

This works well and was until now the recommended way for SPAs to get new access tokens without using refresh tokens. Unfortunately, this approach will soon be impossible, due to major browsers now banning third-party cookies:

We should consider removing the same-site logic and encourage SPAs to use refresh tokens, which is consistent with what other actors in the industry are heading to: https://auth0.com/blog/securing-single-page-applications-with-refresh-token-rotation/

rneto commented 1 year ago

For those who cannot currently deal with a secure token refresh flow in SPAs, another alternative might be to host Orchard Core CMS and the SPA in a same-site enviroment like spa.web.dev and orchard.web.dev.