We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Describe the issue
When samesite is set to strict, the redirect back is wrong despite authentication being successful.
https://login.microsoftonline.com/kmsi (status 200) redirects me to https://subdomain.example.com/auth/saml/azure (status 303)
https://subdomain.example.com/auth/saml/azure (status 303) redirects me to https://subdomain.example.com/auth/portal (status 302)
https://subdomain.example.com/auth/portal (status 302) redirects me to https://subdomain.example.com/auth/login (status 200) where I end up
If the user then modifies the url to go to https://subdomain.example.com/ or https://subdomain.example.com/auth/whoami he can observe that he is actually authenticated despite the redirect being wrong.
But without samesite strict, f.ex lax, i stop on /auth/portal
Expected behavior
I am using subdomain.example.com, it should just work despite samesite being strict, right?
The text was updated successfully, but these errors were encountered:
@Gunni , could it be that you have redirect url configured for your azure enterprise application?
Sorry, something went wrong.
greenpau
No branches or pull requests
Describe the issue
When samesite is set to strict, the redirect back is wrong despite authentication being successful.
https://login.microsoftonline.com/kmsi (status 200) redirects me to https://subdomain.example.com/auth/saml/azure (status 303)
https://subdomain.example.com/auth/saml/azure (status 303) redirects me to https://subdomain.example.com/auth/portal (status 302)
https://subdomain.example.com/auth/portal (status 302) redirects me to https://subdomain.example.com/auth/login (status 200) where I end up
If the user then modifies the url to go to https://subdomain.example.com/ or https://subdomain.example.com/auth/whoami he can observe that he is actually authenticated despite the redirect being wrong.
But without samesite strict, f.ex lax, i stop on /auth/portal
Expected behavior
I am using subdomain.example.com, it should just work despite samesite being strict, right?
The text was updated successfully, but these errors were encountered: