microsoft-identity-web icon indicating copy to clipboard operation
microsoft-identity-web copied to clipboard

Published 20 hours ago verified publisher icon AzureAD

[Bug] Safari 14 infinite loop on login page with default samesite lax sample

Open sander1095 opened this issue 3 years ago • 3 comments

Which version of Microsoft Identity Web are you using?

Latest version

Where is the issue?

  • Web app
    • [x] Sign-in users
    • [ ] Sign-in users and call web APIs
  • Web API
    • [ ] Protected web APIs (validating tokens)
    • [ ] Protected web APIs (validating scopes)
    • [ ] Protected web APIs call downstream web APIs
  • Token cache serialization
    • [ ] In-memory caches
    • [ ] Session caches
    • [ ] Distributed caches
  • Other (please describe)

Is this a new or an existing app? New app. Just use the example template.

Repro

// Use the example web app template for signing in users.

Expected behavior Safari 14 should work:

  • be signed in with 2 accounts (for example, log in at the azure portal, then log in with another acc)
  • make your web app require auth on launc and signle sign out, so if you go to /, you are redirected to the ms login page. Logout must also redirect to /
  • go to your web app, you must not run it on localhost, so deploy it to an actual site.
  • choose an acc to log in with.
  • log out.
  • log in with the other one. (Or rather, you are auto logged in since only 1 ms acc is still logged in and immediately chosen since after logout you are brought to / again.

I expect that you are now just logged in with the other account.

Actual behavior

You get an infinite login loop for a while of the ms sign in page. Finally, it shows an error that logging in failed.

You are logged in again or can log in!

This works on firefox and chrome. Just not on safari 14.

Possible solution Use SameSite None but enforce other ways of protection like CSRF tokens instead.

Perhaps use SameSite Lax for browsers that do work as well.

Additional context / logs / screenshots

  • i believe this is related to samesite lax being the default value for the cookie being set by the web app auth, which doesnt work on safari 14 to my findings.

Why is lax the default?

sander1095 avatar Aug 31 '21 20:08 sander1095

It's currently late. If you cannot reproduce or want more info, I could post a gif of my findings and try to create a reproducable repo

sander1095 avatar Aug 31 '21 20:08 sander1095

Any updates :)?

sander1095 avatar Dec 25 '21 14:12 sander1095

Sorry for bumping again, but i wonder if there is an update for this?

sander1095 avatar Apr 22 '22 10:04 sander1095