huahaofeng
/
aspnetcore
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Disable SameSite for AzureAd and B2C cookies #9115 (#10280)

This commit is contained in:
Chris Ross 2019-05-16 12:02:40 -07:00 committed by GitHub
parent d83bb8efa2
commit 7db16f174d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 23 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/Azure/AzureAD/Authentication.AzureAD.UI/src/AzureADCookieOptionsConfiguration.cs
View File

@ -2,6 +2,7 @@
// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Http;
using Microsoft.Extensions.Options;
namespace Microsoft.AspNetCore.Authentication.AzureAD.UI
@ -29,6 +30,7 @@ namespace Microsoft.AspNetCore.Authentication.AzureAD.UI
options.LoginPath = $"/AzureAD/Account/SignIn/{AzureADScheme}";
options.LogoutPath = $"/AzureAD/Account/SignOut/{AzureADScheme}";
options.AccessDeniedPath = "/AzureAD/Account/AccessDenied";
options.Cookie.SameSite = SameSiteMode.None;
}
public void Configure(CookieAuthenticationOptions options)

9
src/Azure/AzureAD/Authentication.AzureAD.UI/test/AzureADAuthenticationBuilderExtensionsTests.cs
View File

@ -6,6 +6,7 @@ using Microsoft.AspNetCore.Authentication.AzureAD.UI;
using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.AspNetCore.Authentication.OpenIdConnect;
using Microsoft.AspNetCore.Http;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Logging.Abstractions;
@ -74,6 +75,14 @@ namespace Microsoft.AspNetCore.Authentication
Assert.True(openIdOptions.UseTokenLifetime);
Assert.Equal("/signin-oidc", openIdOptions.CallbackPath);
Assert.Equal(AzureADDefaults.CookieScheme, openIdOptions.SignInScheme);
var cookieAuthenticationOptionsMonitor = provider.GetService<IOptionsMonitor<CookieAuthenticationOptions>>();
Assert.NotNull(cookieAuthenticationOptionsMonitor);
var cookieAuthenticationOptions = cookieAuthenticationOptionsMonitor.Get(AzureADDefaults.CookieScheme);
Assert.Equal("/AzureAD/Account/SignIn/AzureAD", cookieAuthenticationOptions.LoginPath);
Assert.Equal("/AzureAD/Account/SignOut/AzureAD", cookieAuthenticationOptions.LogoutPath);
Assert.Equal("/AzureAD/Account/AccessDenied", cookieAuthenticationOptions.AccessDeniedPath);
Assert.Equal(SameSiteMode.None, cookieAuthenticationOptions.Cookie.SameSite);
}
[Fact]

2
src/Azure/AzureAD/Authentication.AzureADB2C.UI/src/AzureADB2CCookieOptionsConfiguration.cs
View File

@ -2,6 +2,7 @@
// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Http;
using Microsoft.Extensions.Options;
namespace Microsoft.AspNetCore.Authentication.AzureADB2C.UI
@ -29,6 +30,7 @@ namespace Microsoft.AspNetCore.Authentication.AzureADB2C.UI
options.LoginPath = $"/AzureADB2C/Account/SignIn/{azureADB2CScheme}";
options.LogoutPath = $"/AzureADB2C/Account/SignOut/{azureADB2CScheme}";
options.AccessDeniedPath = "/AzureADB2C/Account/AccessDenied";
options.Cookie.SameSite = SameSiteMode.None;
}
public void Configure(CookieAuthenticationOptions options)

11
src/Azure/AzureAD/Authentication.AzureADB2C.UI/test/AzureAdB2CAuthenticationBuilderExtensionsTests.cs
View File

@ -2,10 +2,11 @@
// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.using Microsoft.AspNetCore.Authorization;
using System;
using Microsoft.AspNetCore.Authentication.AzureADB2C.UI;
using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.AspNetCore.Authentication.OpenIdConnect;
using Microsoft.AspNetCore.Authentication.AzureADB2C.UI;
using Microsoft.AspNetCore.Http;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Logging.Abstractions;
@ -88,6 +89,14 @@ namespace Microsoft.AspNetCore.Authentication
var remoteFailureHanlder = openIdOptions.Events.OnRemoteFailure;
Assert.NotNull(remoteFailureHanlder);
Assert.IsType<AzureADB2COpenIDConnectEventHandlers>(redirectHandler.Target);
var cookieAuthenticationOptionsMonitor = provider.GetService<IOptionsMonitor<CookieAuthenticationOptions>>();
Assert.NotNull(cookieAuthenticationOptionsMonitor);
var cookieAuthenticationOptions = cookieAuthenticationOptionsMonitor.Get(AzureADB2CDefaults.CookieScheme);
Assert.Equal("/AzureADB2C/Account/SignIn/AzureADB2C", cookieAuthenticationOptions.LoginPath);
Assert.Equal("/AzureADB2C/Account/SignOut/AzureADB2C", cookieAuthenticationOptions.LogoutPath);
Assert.Equal("/AzureADB2C/Account/AccessDenied", cookieAuthenticationOptions.AccessDeniedPath);
Assert.Equal(SameSiteMode.None, cookieAuthenticationOptions.Cookie.SameSite);
}
[Fact]