markitosgv / JWTRefreshTokenBundle

Implements a Refresh Token system over Json Web Tokens in Symfony
MIT License
663 stars 159 forks source link

Support for partitioned authentication cookies #367

Closed EmilePerron closed 10 months ago

EmilePerron commented 1 year ago

Hey folks!

With the upcoming phasing-out of third-party cookies by Chromium (and, I expect, other browser vendors in the near future), I think it would be useful to add support for Partitioned authentication cookies in this library.

Some applications embed widgets (or even their entire application!) on other sites in a legitimate way. In these cases, their authentication cookies are usually set with SameSite=None, and considered as third-party cookies by browsers. The upcoming phase-out will therefore break any such application... unless they switch to partitioned cookies (see Google's docs on CHIPS - Cookies Having Independent Partitioned State).

Symfony has added support for Partitioned Cookies in version 6.4 (which will be released by the end of the month). This means that this library could fairly easily be updated to also allow this option, by simply adding an additional configuration option, which defaults to the current behavior (not partitioned).

Here is what an example configuration for an application in this context could look like, once this is implemented:

gesdinet_jwt_refresh_token:
    # ...

    cookie:
        enabled: true
        same_site: none
        path: /auth/refresh
        domain: null
        http_only: true
        secure: true
        partitioned: true       # <--- new option
        remove_token_from_body: true

If the maintainers do not have any objections, I could get to work on a PR for this, as we do have a need for this in a project that I am currently working on (in order to give us a bit of peace of mind regarding the upcoming phase out 😅).

Let me know if you have any questions, objections or feedback! Cheers!