Safari (version 13.1.2) "prevent cross-site tracking" breaking lti sign-in flow

oxctl / spring-security-lti13

A LTI 1.3 implementation for Spring Security that builds on the OAuth2 support

Apache License 2.0

14 stars 7 forks source link

Safari (version 13.1.2) "prevent cross-site tracking" breaking lti sign-in flow #2

Closed leweii closed 3 years ago

leweii commented 4 years ago

In Safari (version 13.1.2), if I toggled "prevent cross-site tracking", i got two different session id in the auth filters (OAuth2LoginAuthenticationFilter, OAuth2AuthorizationRequestRedirectFilter), and it leads to oidc login flow failed.

leweii commented 4 years ago

https://docs.spring.io/spring-session/docs/current/reference/html5/#httpsession-rest a good solution is to put session in the header instead of cookies

leweii commented 4 years ago

Another proposal is to use nonce as the identify key to trace the flow.

buckett commented 4 years ago

Yeah I was thinking about using the nonce to trace the flow, we are seeing people on Safari 13.1.2 unable to use LTI 1.3 tools because of the blocked cookies.