Openid in some sites broken with new SameSite=Lax default cookie policy in Firefox 79 beta
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical SSO provider |
Fix Released
|
Undecided
|
Maximiliano Bertacchini |
Bug Description
Last week, some internal Canonical sites started requiring full re-authentication from scratch several times in a day, which is unusual. Using firefox snap 79.0-1 from latest/beta, with 2 profiles. Noticed the one with issues has "network.
Ubuntu SSO currently does not set an explicit SameSite on cookies. This used to mean "SameSite=None". With the new default being implemented by modern browsers, those cookies now default to "SameSite=Lax", which basically drops third-party cookies from non-idempotent requests. Chrome implements this default behavior as of version 84 (but slightly more permissive, as a temporary mitigation to prevent breaking sign-on flows, which explains why it works with Ubuntu SSO), while Firefox has it available to test as of Firefox 69 and will make it default in the future.
1. Install firefox 79.0-1 snap from latest/beta.
2. Check "network.
3. Log in to Ubuntu SSO.
4. Go to the internal grafana, delete all the site's cookies and refresh.
5. Should pass the openid dance and log-in automatically.
6. Set "network.
7. Delete all grafana's cookies again and refresh (maybe repeat a couple of times).
8. You're out of SSO! Need to log-in from scratch.
Curiously, other sites such as snapcraft.io and the internal sentry (which uses SAML afaict) do not seem affected. Maybe apache-openid only?
In any case, as per the new SameSite default, I believe SSO should explicitly set this attribute on its cookies. Django 3.1.x introduced full support of SameSite flag for session and csrf cookies. Older versions of Django can use this middleware: https:/
References:
https:/
https:/
Related branches
- Daniel Manrique (community): Approve
-
Diff: 60 lines (+7/-2)3 files modifieddjango_project/settings_base.py (+2/-0)
django_project/settings_devel.py (+3/-2)
requirements.txt (+2/-0)
summary: |
- Openid dance in some sites is broken with new SameSite: lax cookies by - default in Firefox beta + Openid in some sites broken with new SameSite=Lax default cookie policy + in Firefox beta |
summary: |
Openid in some sites broken with new SameSite=Lax default cookie policy - in Firefox beta + in Firefox 79 beta |
Changed in canonical-identity-provider: | |
assignee: | nobody → Maximiliano Bertacchini (maxiberta) |
status: | New → Fix Released |
Locally reproducible with python-openid's example consumer (with this patch: https:/ /github. com/openid/ python- openid/ pull/94/ files).