Closed SethCaparelli closed 2 years ago
I'm having this issue even without this flag
https://github.com/okta/okta-oidc-js/issues/271#issuecomment-979457358
Thanks for reporting this @SethCaparelli. Internal Ref: OKTA-448945
The reason an error is being thrown when using sameSite=strict
in this configuration breaks the oidc
flow. This article does a good job explaining, but essentially strict
prevents the cookie with the authenticate info from being returned to the server.
Here is some additional info
I believe the reason you're experience intermittent issues with Chrome is, as of version 80, has changed the default behavior of cookies in regards to secure
and sameSite
. More Info on Chrome changes
Microsoft had warned back in January that sites and applications that rely on OpenID-based federation could be affected by the SameSite change. There were updates to .NET to support the new SameSite attribute. Enterprise IT administrators should have made changes to how the cookies are being handled by now to avoid issues with single sign-on and internal applications.
Hi @jaredperreault-okta .... thanks for the info, but the article you linked suggests that there is something that can be done to circumvent this ... that oidc flow itself isn't necessarily broken ... just that the existing flow is broken. Auth0
says "we got you covered". Just checking is there an update to the specific Okta implementation of the flow that can be done to accommodate? Any tweaks to this lib that allow some other means of validating the response/state?
As already mentioned, if you’re a customer of Auth0, then be sure we’ve got you covered. We already have changes in progress on the service side to get rid of those pesky Javascript console warnings.
We’re also going through our SDK libraries, reviewing their use of cookies and making sure we update those that need to be updated well before this change goes into effect for regular users. So, again, be sure to check and update your SDKs periodically and be on the lookout for any advisories in their README and CHANGELOG as well as your Auth0 Dashboard Notifications for any actions required.
Hey Did anyone get the solution yet also wanted toknow if useing CookieSession will help here? @mbyrne00 @joearanbayev-okta please let me know if you guyz have a solution for above error
My configs are:: app.js---> import express from "express";
import expressSession from "express-session"; import oidc from "./oktaMiddleware/oktaConfig.js"; const app = express();
// Middleware app.use(express.json()); app.use( expressSession({ secret: process.env.EXPRESS_SECRET_KEY, // Replace with a strong secret key resave: true, saveUninitialized: false, }) );
// OIDC setup oidc.on("ready", () => { logger.info("Okta OIDC middleware is ready"); });
oidc.on("error", (err) => { logger.error("Okta OIDC middleware error", err); });
app.use(oidc.router);
OKta is instantiated in different folder like:"
import oidcMiddleware from "@okta/oidc-middleware";
const oidc = new oidcMiddleware.ExpressOIDC({ issuer: process.env.OKTA_ISSUER_ID, client_id: process.env.OKTA_CLIENT_ID, client_secret: process.env.OKTA_CLIENT_SECRET, redirect_uri: process.env.OKTA_REDIRECT_URI, appBaseUrl: process.env.OKTA_BASE_URL, scope: "openid profile email", routes: { loginCallback: { path: "/authorization-code/callback", defaultRedirect: "/profile", }, }, post_logout_redirect_uri: process.env.OKTA_REDIRECT_URI, });
export default oidc;
I'm submitting a:
Current behavior
When setting "Same-Site"="Strict" on the session cookie, the following error is thrown:
Error: did not find expected authorization request details in session, req.session["oidc:https://wpp.okta.com"] is undefined at /usr/src/app/node_modules/openid-client/lib/passport_strategy.js:126:13 at OpenIDConnectStrategy.authenticate (/usr/src/app/node_modules/openid-client/lib/passport_strategy.js:174:5) at attempt (/usr/src/app/node_modules/passport/lib/middleware/authenticate.js:366:16) at authenticate (/usr/src/app/node_modules/passport/lib/middleware/authenticate.js:367:7) at Layer.handle [as handle_request] (/usr/src/app/node_modules/express/lib/router/layer.js:95:5) at trim_prefix (/usr/src/app/node_modules/express/lib/router/index.js:317:13) at /usr/src/app/node_modules/express/lib/router/index.js:284:7 at Function.process_params (/usr/src/app/node_modules/express/lib/router/index.js:335:12) at next (/usr/src/app/node_modules/express/lib/router/index.js:275:10) at SessionStrategy.strategy.pass (/usr/src/app/node_modules/passport/lib/middleware/authenticate.js:343:9)```
The issue occurs randomly in chrome, but consistently in Safari and Fire Fox
Expected behavior
No error thrown when setting session cookie "Same-site"= "strict"
Minimal reproduction of the problem with instructions
Set the following session:
session({ secret: "SECRET", resave: false, saveUninitialized: false, cookie: { httpOnly: true, secure: true, sameSite: "strict" } })
Extra information about the use case/user story you are trying to implement
Environment
node -v
): v14.17.5