Closed ig3 closed 2 years ago
paul90
commented
4 years ago I don't see a problem with using 'lax'. That Auth0 post seems to say something different that the posts I had read on the matter.
On retesting I am seeing the same behaviour, not sure why I saw different behaviour in my original testing.
The fix switching to using 'lax', has been published as wiki-server@0.17.7
WardCunningham
commented
4 years ago It would be good to test this with sites configured with login to view. I remember tightening up a number of things in order to get collaborative links to work in this environment.
http://ward.asia.wiki.org/login-to-view.html http://ward.asia.wiki.org/collaborative-link.html
The New Relic company wiki hosted at my eu.wiki.org sees this usage with @dobbs and I forking each other. I will report back here if that fails to work after I upgrade that server.
The introduction of sameSite: 'strict' on session cookies in commit 4d4d3456ac4bd722061795d3b8dde4d06df538dd is causing failure of OAuth2 based authentication using the Authorization Code Flow.
I am seeing this in my customization of wiki-security-passportjs, which authenticates to Office 365 / Azure AD via OAuth2, but this is modelled after what was done for GitHub and Google and, while I haven't tested them, I suspect they too will be affected.
The failure occurs using both Firefox 75.0 and Chromium 80.0.3987.163.
If I change sameSite from 'strict' to 'lax' in wiki-server/lib/server-coffee, then authentication via OAuth2 to Office 365 works.
This Auth0 post describes the situation, though in the context of browser changes rather than this recent commit to wiki-server.
I haven't found an alternative OAuth2 flow that would be compatible with sameSite being set to 'strict', but I'm not an expert in OAuth2 - maybe there is one.
Is there a possibility of changing 'strict' to 'lax'? If not, is there a recommendation how to succeed with OAuth2, with the new setting?