Gwyn Howell
Gwyn Howell

Reputation: 5424

Chrome 97 - Cookie not setting from Office 365 OAuth callback

I have an app that has been running for years with no changes to the code. The app has OAuth2.0 login with a variety of providers including Google Workspace and Office 365. Since the launch of Chrome V97 (i.e. in last few days), the O365 login has stopped working, as for some reason, the auth cookie does not get set in the OAuth callback GET handler. The code that sets the cookie is the same code that is run for Google Workspace, yet this works. It also works on Firefox. Something about Google Chrome V97 is preventing cookies from being set, but only if it round trips to O365 first.

To isolate the issue, I have created a fake callback which manually sets a cookie, thereby removing all of the auth complication. If I call this by visiting the URL in a browser, then the cookie sets as expected. Yet if I perform the O365 OAuth dance first, which in turn invokes this URL, then the cookie does not get set. Try exactly the same thing with Google Workspace and it works.

I have been debugging this for hours and hours and clean out of ideas.

Can anyone shed any light on what could be causing this odd behaviour?

Upvotes: 12

Views: 2042

Answers (3)

Jagan
Jagan

Reputation: 431

Using SimpleSamlPHP library (v1.19 above), we need to set samesite.cookie to 'none' and secure.cookie to true resolve the issue. This issue noticed on recent chrome / chromium upgrade to v97

'session.cookie.secure' => true,
'session.cookie.samesite' => \SimpleSAML\Utils\HTTP::canSetSameSiteNone() ? 'None' : null,

This will set same cookie site flag to "None" in Chrome browser and "secure" flag on cookies.

Upvotes: 3

jbarnes
jbarnes

Reputation: 86

Can confirm adding SameSite=none worked for me as well.

For anyone seeing this issue in a .Net Core Identity app, make sure you are configuring the ExternalCookie, not the ApplicationCookie. Here is the relevant code:

services.ConfigureExternalCookie(options =>
{
    options.Cookie.SameSite = SameSiteMode.None;
});

Upvotes: 4

kulesa
kulesa

Reputation: 2964

We ran into this too, fixed by adding SameSite=none; to the auth cookie. In Chrome 97 SameSite is set to Lax if missing. See more here https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite

Upvotes: 8

Related Questions