Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

breakfix: samesite strict makes redirect wrong #365

Open
Gunni opened this issue Oct 29, 2024 · 1 comment
Open

breakfix: samesite strict makes redirect wrong #365

Gunni opened this issue Oct 29, 2024 · 1 comment

Comments

@Gunni
Copy link

Gunni commented Oct 29, 2024

Describe the issue

When samesite is set to strict, the redirect back is wrong despite authentication being successful.

https://login.microsoftonline.com/kmsi (status 200) redirects me to https://subdomain.example.com/auth/saml/azure (status 303)

https://subdomain.example.com/auth/saml/azure (status 303) redirects me to https://subdomain.example.com/auth/portal (status 302)

https://subdomain.example.com/auth/portal (status 302) redirects me to https://subdomain.example.com/auth/login (status 200) where I end up

If the user then modifies the url to go to https://subdomain.example.com/ or https://subdomain.example.com/auth/whoami he can observe that he is actually authenticated despite the redirect being wrong.

But without samesite strict, f.ex lax, i stop on /auth/portal

Expected behavior

I am using subdomain.example.com, it should just work despite samesite being strict, right?

@greenpau
Copy link
Owner

@Gunni , could it be that you have redirect url configured for your azure enterprise application?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants