[Bug] Can't set SameSite=None for cross-site cookie use
See original GitHub issueWhich Version of Microsoft Identity Web are you using ? Note that to get help, you need to run the latest version. Microsoft Identity Web 0.1.4-preview
Where is the issue?
- Web App
- Sign-in users
- Sign-in users and call web APIs
- Web API
- Protected web APIs (Validating tokens)
- Protected web APIs (Validating scopes)
- Protected web APIs call downstream web APIs
- Token cache serialization
- In Memory caches
- Session caches
- Distributed caches
Other? - please describe; Unsure if this is a bug or just wrong setup.
Is this a new or existing app? I am trying to set SameSite=None for cross-site cookie use in accordance with https://docs.microsoft.com/en-us/aspnet/core/security/samesite?view=aspnetcore-3.1 or https://docs.microsoft.com/en-us/aspnet/core/security/samesite/rp31?view=aspnetcore-3.1. However, I can’t change the default behaviour of “.AspNetCore.Cookies”. I can rename the cookie using the cookieScheme parameter of AddSignIn, but if I try to alter it in any other way I get “System.InvalidOperationException: Scheme already exists: Cookies”.
Repro
- Setup https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/4-WebApp-your-API/4-2-B2C in accordance with guidelines
- Set SameSite=None for cross-site cookie use in accordance with https://docs.microsoft.com/en-us/aspnet/core/security/samesite/rp31?view=aspnetcore-3.1
- Run the client
services.AddDistributedMemoryCache();
services.Configure<CookiePolicyOptions>(options =>
{
// This lambda determines whether user consent for non-essential cookies is needed for a given request.
options.CheckConsentNeeded = context => true;
//options.MinimumSameSitePolicy = SameSiteMode.Unspecified;
// SAMESITE CODE START
options.MinimumSameSitePolicy = SameSiteMode.None;
options.Secure = CookieSecurePolicy.Always;
// SAMESITE CODE END
// Handling SameSite cookie according to https://docs.microsoft.com/en-us/aspnet/core/security/samesite?view=aspnetcore-3.1
options.HandleSameSiteCookieCompatibility();
});
services.AddOptions();
services.AddSignIn(Configuration, "AzureAdB2C")
// SAMESITE CODE START
.AddAuthentication()
.AddCookie(options =>
{
options.Cookie.SameSite = SameSiteMode.None;
options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
options.Cookie.IsEssential = true;
})
// SAMESITE CODE END
;
// This is required to be instantiated before the OpenIdConnectOptions starts getting configured.
// By default, the claims mapping will map claim names in the old format to accommodate older SAML applications.
// 'http://schemas.microsoft.com/ws/2008/06/identity/claims/role' instead of 'roles'
// This flag ensures that the ClaimsIdentity claims collection will be built from the claims in the token
// JwtSecurityTokenHandler.DefaultMapInboundClaims = false;
// Token acquisition service based on MSAL.NET
// and chosen token cache implementation
services.AddWebAppCallsProtectedWebApi(Configuration, new string[] { Configuration["TodoList:TodoListScope"] }, configSectionName: "AzureAdB2C")
.AddInMemoryTokenCaches();
Expected behavior Can use cross-site cookies use as expected. Ie. the cookie of interest has SameSite=None and being Secure.
Actual behavior Gets an exception: “System.InvalidOperationException: Scheme already exists: Cookies”
Possible Solution
Additional context/ Logs / Screenshots Add any other context about the problem here, such as logs and screenshots.
Issue Analytics
- State:
- Created 3 years ago
- Comments:5 (1 by maintainers)
Top GitHub Comments
@jmprieur : thanks for the response. As far as I can tell from that code it ensures backward compatibility with older browsers and assumes that the cookie of interest is already set to SameSite=None. However, the default behavior for Cookie Authentication, the specific “.AspNetCore.Cookies” cookie set by the AddSignIn method in this case, is SameSite=Lax (according to https://docs.microsoft.com/en-us/aspnet/core/security/samesite?view=aspnetcore-3.1 also observed using the Inspect dev tool found in most browsers), and hence HandleSameSiteCookieCompatibility() doesn’t work in this case.
However, I have modified the sniffing method somewhat
It is not ideal but does the job in my case. Is this now the official approach for setting the authentication cookie “.AspNetCore.Cookies” to SameSite=None?
Closing as the question was answered. See also https://github.com/AzureAD/microsoft-identity-web/wiki/SameSite-Cookies