fusionauth-issues icon indicating copy to clipboard operation
fusionauth-issues copied to clipboard

Published 20 hours ago verified publisher icon FusionAuth

`federated.csrf` cookie is not created in some cases

Open spwitt opened this issue 8 months ago • 2 comments

federated.csrf cookie is not created in some cases

Description

The federated.csrf cookie (required for IdP logins since version 1.47.0) is not written by the /oauth2/authorize page when

  1. An idp_hint query string parameter is provided in the URL -and-
  2. All configured IdPs for the application are configured to use Managed Domains

Observed versions

1.49.2

Affects versions

>= 1.47.0

Steps to reproduce

  1. From a fresh install
  2. Create an Identity Provider with a Managed domain (see screenshot)
  3. Enable the IdP for one or more applications
  4. Navigate to the /oauth2/authorize page for the application and include the idp_hint query string parameter
  5. The user will be redirected to the IdP automatically
  6. Navigate back to the FusionAuth URL and inspect cookies
  7. There is no federated.csrf cookie written

Expected behavior

The federated.csrf cookie should be written when redirecting to an external IdP based on the idp_hint parameter.

Screenshots

image

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

spwitt avatar May 28 '24 20:05 spwitt