search

arrikto / oidc-authservice

This is a fork/refactoring of the ajmyyra/ambassador-auth-oidc project
MIT License
87 stars 66 forks source link

Add `COOKIE_SAME_SITE` option #41

Closed yhwang closed 4 years ago

yhwang commented 4 years ago

Add an option to control the SameSite attribute of the Set-Cookie response header. Default value is Strict.

yhwang commented 4 years ago

FYI @yanniszark I created this PR and then I saw yours.

animeshsingh commented 4 years ago

@yanniszark can we have someone prioritize this?

yhwang commented 4 years ago

@yanniszark it would be good to make it configurable. I am using Strict as default value, if you prefer Lax, I can change it.

yanniszark commented 4 years ago

In addition, can you expand a bit more in your commit message? Similar to https://github.com/arrikto/oidc-authservice/pull/38:

Using a strict SameSite policy for the session cookie is sometimes too restrictive. For example, an application that is protected by the AuthService may be acting as an OIDC/OAuth client to a third-party application. In that case, the SameSite=strict policy prevents the Provider->Client auth code redirect from working, as it originates from the Provider origin.

Make the SameSite policy of the session cookie configurable and default to Lax, which allows cookies only from cross-site requests / redirects using the GET method.

yanniszark commented 4 years ago

Finally, can you rebase to latest master?

yhwang commented 4 years ago

I also rebased.

yanniszark commented 4 years ago

Merged! Thanks a lot @yhwang

yhwang commented 4 years ago

thank YOU!