Disable SameSite for AzureAd and B2C cookies #9115 (#10280)

This commit is contained in:
Chris Ross 2019-05-16 12:02:40 -07:00 committed by GitHub
parent d83bb8efa2
commit 7db16f174d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 23 additions and 1 deletions

View File

@ -2,6 +2,7 @@
// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.using Microsoft.AspNetCore.Authorization; // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Authentication.Cookies; using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Http;
using Microsoft.Extensions.Options; using Microsoft.Extensions.Options;
namespace Microsoft.AspNetCore.Authentication.AzureAD.UI namespace Microsoft.AspNetCore.Authentication.AzureAD.UI
@ -29,6 +30,7 @@ namespace Microsoft.AspNetCore.Authentication.AzureAD.UI
options.LoginPath = $"/AzureAD/Account/SignIn/{AzureADScheme}"; options.LoginPath = $"/AzureAD/Account/SignIn/{AzureADScheme}";
options.LogoutPath = $"/AzureAD/Account/SignOut/{AzureADScheme}"; options.LogoutPath = $"/AzureAD/Account/SignOut/{AzureADScheme}";
options.AccessDeniedPath = "/AzureAD/Account/AccessDenied"; options.AccessDeniedPath = "/AzureAD/Account/AccessDenied";
options.Cookie.SameSite = SameSiteMode.None;
} }
public void Configure(CookieAuthenticationOptions options) public void Configure(CookieAuthenticationOptions options)

View File

@ -6,6 +6,7 @@ using Microsoft.AspNetCore.Authentication.AzureAD.UI;
using Microsoft.AspNetCore.Authentication.Cookies; using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Authentication.JwtBearer; using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.AspNetCore.Authentication.OpenIdConnect; using Microsoft.AspNetCore.Authentication.OpenIdConnect;
using Microsoft.AspNetCore.Http;
using Microsoft.Extensions.DependencyInjection; using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging; using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Logging.Abstractions; using Microsoft.Extensions.Logging.Abstractions;
@ -74,6 +75,14 @@ namespace Microsoft.AspNetCore.Authentication
Assert.True(openIdOptions.UseTokenLifetime); Assert.True(openIdOptions.UseTokenLifetime);
Assert.Equal("/signin-oidc", openIdOptions.CallbackPath); Assert.Equal("/signin-oidc", openIdOptions.CallbackPath);
Assert.Equal(AzureADDefaults.CookieScheme, openIdOptions.SignInScheme); Assert.Equal(AzureADDefaults.CookieScheme, openIdOptions.SignInScheme);
var cookieAuthenticationOptionsMonitor = provider.GetService<IOptionsMonitor<CookieAuthenticationOptions>>();
Assert.NotNull(cookieAuthenticationOptionsMonitor);
var cookieAuthenticationOptions = cookieAuthenticationOptionsMonitor.Get(AzureADDefaults.CookieScheme);
Assert.Equal("/AzureAD/Account/SignIn/AzureAD", cookieAuthenticationOptions.LoginPath);
Assert.Equal("/AzureAD/Account/SignOut/AzureAD", cookieAuthenticationOptions.LogoutPath);
Assert.Equal("/AzureAD/Account/AccessDenied", cookieAuthenticationOptions.AccessDeniedPath);
Assert.Equal(SameSiteMode.None, cookieAuthenticationOptions.Cookie.SameSite);
} }
[Fact] [Fact]

View File

@ -2,6 +2,7 @@
// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.using Microsoft.AspNetCore.Authorization; // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Authentication.Cookies; using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Http;
using Microsoft.Extensions.Options; using Microsoft.Extensions.Options;
namespace Microsoft.AspNetCore.Authentication.AzureADB2C.UI namespace Microsoft.AspNetCore.Authentication.AzureADB2C.UI
@ -29,6 +30,7 @@ namespace Microsoft.AspNetCore.Authentication.AzureADB2C.UI
options.LoginPath = $"/AzureADB2C/Account/SignIn/{azureADB2CScheme}"; options.LoginPath = $"/AzureADB2C/Account/SignIn/{azureADB2CScheme}";
options.LogoutPath = $"/AzureADB2C/Account/SignOut/{azureADB2CScheme}"; options.LogoutPath = $"/AzureADB2C/Account/SignOut/{azureADB2CScheme}";
options.AccessDeniedPath = "/AzureADB2C/Account/AccessDenied"; options.AccessDeniedPath = "/AzureADB2C/Account/AccessDenied";
options.Cookie.SameSite = SameSiteMode.None;
} }
public void Configure(CookieAuthenticationOptions options) public void Configure(CookieAuthenticationOptions options)

View File

@ -2,10 +2,11 @@
// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.using Microsoft.AspNetCore.Authorization; // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.using Microsoft.AspNetCore.Authorization;
using System; using System;
using Microsoft.AspNetCore.Authentication.AzureADB2C.UI;
using Microsoft.AspNetCore.Authentication.Cookies; using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Authentication.JwtBearer; using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.AspNetCore.Authentication.OpenIdConnect; using Microsoft.AspNetCore.Authentication.OpenIdConnect;
using Microsoft.AspNetCore.Authentication.AzureADB2C.UI; using Microsoft.AspNetCore.Http;
using Microsoft.Extensions.DependencyInjection; using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging; using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Logging.Abstractions; using Microsoft.Extensions.Logging.Abstractions;
@ -88,6 +89,14 @@ namespace Microsoft.AspNetCore.Authentication
var remoteFailureHanlder = openIdOptions.Events.OnRemoteFailure; var remoteFailureHanlder = openIdOptions.Events.OnRemoteFailure;
Assert.NotNull(remoteFailureHanlder); Assert.NotNull(remoteFailureHanlder);
Assert.IsType<AzureADB2COpenIDConnectEventHandlers>(redirectHandler.Target); Assert.IsType<AzureADB2COpenIDConnectEventHandlers>(redirectHandler.Target);
var cookieAuthenticationOptionsMonitor = provider.GetService<IOptionsMonitor<CookieAuthenticationOptions>>();
Assert.NotNull(cookieAuthenticationOptionsMonitor);
var cookieAuthenticationOptions = cookieAuthenticationOptionsMonitor.Get(AzureADB2CDefaults.CookieScheme);
Assert.Equal("/AzureADB2C/Account/SignIn/AzureADB2C", cookieAuthenticationOptions.LoginPath);
Assert.Equal("/AzureADB2C/Account/SignOut/AzureADB2C", cookieAuthenticationOptions.LogoutPath);
Assert.Equal("/AzureADB2C/Account/AccessDenied", cookieAuthenticationOptions.AccessDeniedPath);
Assert.Equal(SameSiteMode.None, cookieAuthenticationOptions.Cookie.SameSite);
} }
[Fact] [Fact]