From 7db16f174d3c142fd41ad22455fc0df0828edddf Mon Sep 17 00:00:00 2001 From: Chris Ross Date: Thu, 16 May 2019 12:02:40 -0700 Subject: [PATCH] Disable SameSite for AzureAd and B2C cookies #9115 (#10280) --- .../src/AzureADCookieOptionsConfiguration.cs | 2 ++ .../AzureADAuthenticationBuilderExtensionsTests.cs | 9 +++++++++ .../src/AzureADB2CCookieOptionsConfiguration.cs | 2 ++ .../AzureAdB2CAuthenticationBuilderExtensionsTests.cs | 11 ++++++++++- 4 files changed, 23 insertions(+), 1 deletion(-) diff --git a/src/Azure/AzureAD/Authentication.AzureAD.UI/src/AzureADCookieOptionsConfiguration.cs b/src/Azure/AzureAD/Authentication.AzureAD.UI/src/AzureADCookieOptionsConfiguration.cs index 3716538315..7f4f87c8bd 100644 --- a/src/Azure/AzureAD/Authentication.AzureAD.UI/src/AzureADCookieOptionsConfiguration.cs +++ b/src/Azure/AzureAD/Authentication.AzureAD.UI/src/AzureADCookieOptionsConfiguration.cs @@ -2,6 +2,7 @@ // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Authentication.Cookies; +using Microsoft.AspNetCore.Http; using Microsoft.Extensions.Options; namespace Microsoft.AspNetCore.Authentication.AzureAD.UI @@ -29,6 +30,7 @@ namespace Microsoft.AspNetCore.Authentication.AzureAD.UI options.LoginPath = $"/AzureAD/Account/SignIn/{AzureADScheme}"; options.LogoutPath = $"/AzureAD/Account/SignOut/{AzureADScheme}"; options.AccessDeniedPath = "/AzureAD/Account/AccessDenied"; + options.Cookie.SameSite = SameSiteMode.None; } public void Configure(CookieAuthenticationOptions options) diff --git a/src/Azure/AzureAD/Authentication.AzureAD.UI/test/AzureADAuthenticationBuilderExtensionsTests.cs b/src/Azure/AzureAD/Authentication.AzureAD.UI/test/AzureADAuthenticationBuilderExtensionsTests.cs index 1f0cb14ac4..db937ca62e 100644 --- a/src/Azure/AzureAD/Authentication.AzureAD.UI/test/AzureADAuthenticationBuilderExtensionsTests.cs +++ b/src/Azure/AzureAD/Authentication.AzureAD.UI/test/AzureADAuthenticationBuilderExtensionsTests.cs @@ -6,6 +6,7 @@ using Microsoft.AspNetCore.Authentication.AzureAD.UI; using Microsoft.AspNetCore.Authentication.Cookies; using Microsoft.AspNetCore.Authentication.JwtBearer; using Microsoft.AspNetCore.Authentication.OpenIdConnect; +using Microsoft.AspNetCore.Http; using Microsoft.Extensions.DependencyInjection; using Microsoft.Extensions.Logging; using Microsoft.Extensions.Logging.Abstractions; @@ -74,6 +75,14 @@ namespace Microsoft.AspNetCore.Authentication Assert.True(openIdOptions.UseTokenLifetime); Assert.Equal("/signin-oidc", openIdOptions.CallbackPath); Assert.Equal(AzureADDefaults.CookieScheme, openIdOptions.SignInScheme); + + var cookieAuthenticationOptionsMonitor = provider.GetService>(); + Assert.NotNull(cookieAuthenticationOptionsMonitor); + var cookieAuthenticationOptions = cookieAuthenticationOptionsMonitor.Get(AzureADDefaults.CookieScheme); + Assert.Equal("/AzureAD/Account/SignIn/AzureAD", cookieAuthenticationOptions.LoginPath); + Assert.Equal("/AzureAD/Account/SignOut/AzureAD", cookieAuthenticationOptions.LogoutPath); + Assert.Equal("/AzureAD/Account/AccessDenied", cookieAuthenticationOptions.AccessDeniedPath); + Assert.Equal(SameSiteMode.None, cookieAuthenticationOptions.Cookie.SameSite); } [Fact] diff --git a/src/Azure/AzureAD/Authentication.AzureADB2C.UI/src/AzureADB2CCookieOptionsConfiguration.cs b/src/Azure/AzureAD/Authentication.AzureADB2C.UI/src/AzureADB2CCookieOptionsConfiguration.cs index 5f2c1354c4..2f20345111 100644 --- a/src/Azure/AzureAD/Authentication.AzureADB2C.UI/src/AzureADB2CCookieOptionsConfiguration.cs +++ b/src/Azure/AzureAD/Authentication.AzureADB2C.UI/src/AzureADB2CCookieOptionsConfiguration.cs @@ -2,6 +2,7 @@ // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Authentication.Cookies; +using Microsoft.AspNetCore.Http; using Microsoft.Extensions.Options; namespace Microsoft.AspNetCore.Authentication.AzureADB2C.UI @@ -29,6 +30,7 @@ namespace Microsoft.AspNetCore.Authentication.AzureADB2C.UI options.LoginPath = $"/AzureADB2C/Account/SignIn/{azureADB2CScheme}"; options.LogoutPath = $"/AzureADB2C/Account/SignOut/{azureADB2CScheme}"; options.AccessDeniedPath = "/AzureADB2C/Account/AccessDenied"; + options.Cookie.SameSite = SameSiteMode.None; } public void Configure(CookieAuthenticationOptions options) diff --git a/src/Azure/AzureAD/Authentication.AzureADB2C.UI/test/AzureAdB2CAuthenticationBuilderExtensionsTests.cs b/src/Azure/AzureAD/Authentication.AzureADB2C.UI/test/AzureAdB2CAuthenticationBuilderExtensionsTests.cs index e7d021d1da..cd7dde32f6 100644 --- a/src/Azure/AzureAD/Authentication.AzureADB2C.UI/test/AzureAdB2CAuthenticationBuilderExtensionsTests.cs +++ b/src/Azure/AzureAD/Authentication.AzureADB2C.UI/test/AzureAdB2CAuthenticationBuilderExtensionsTests.cs @@ -2,10 +2,11 @@ // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.using Microsoft.AspNetCore.Authorization; using System; +using Microsoft.AspNetCore.Authentication.AzureADB2C.UI; using Microsoft.AspNetCore.Authentication.Cookies; using Microsoft.AspNetCore.Authentication.JwtBearer; using Microsoft.AspNetCore.Authentication.OpenIdConnect; -using Microsoft.AspNetCore.Authentication.AzureADB2C.UI; +using Microsoft.AspNetCore.Http; using Microsoft.Extensions.DependencyInjection; using Microsoft.Extensions.Logging; using Microsoft.Extensions.Logging.Abstractions; @@ -88,6 +89,14 @@ namespace Microsoft.AspNetCore.Authentication var remoteFailureHanlder = openIdOptions.Events.OnRemoteFailure; Assert.NotNull(remoteFailureHanlder); Assert.IsType(redirectHandler.Target); + + var cookieAuthenticationOptionsMonitor = provider.GetService>(); + Assert.NotNull(cookieAuthenticationOptionsMonitor); + var cookieAuthenticationOptions = cookieAuthenticationOptionsMonitor.Get(AzureADB2CDefaults.CookieScheme); + Assert.Equal("/AzureADB2C/Account/SignIn/AzureADB2C", cookieAuthenticationOptions.LoginPath); + Assert.Equal("/AzureADB2C/Account/SignOut/AzureADB2C", cookieAuthenticationOptions.LogoutPath); + Assert.Equal("/AzureADB2C/Account/AccessDenied", cookieAuthenticationOptions.AccessDeniedPath); + Assert.Equal(SameSiteMode.None, cookieAuthenticationOptions.Cookie.SameSite); } [Fact]