Canonical SSO provider

Openid in some sites broken with new SameSite=Lax default cookie policy in Firefox 79 beta

Bug #1888734 reported by Maximiliano Bertacchini
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Canonical SSO provider
Fix Released
Undecided
Maximiliano Bertacchini

Bug Description

Last week, some internal Canonical sites started requiring full re-authentication from scratch several times in a day, which is unusual. Using firefox snap 79.0-1 from latest/beta, with 2 profiles. Noticed the one with issues has "network.cookie.sameSite.laxByDefault" enabled, and the other profile has it disabled. Not sure why it was suddenly enabled in one single profile, but I suspect it's part of a progressive release as there's also "app.normandy.startupRolloutPrefs.network.cookie.sameSite.laxByDefault: true".

Ubuntu SSO currently does not set an explicit SameSite on cookies. This used to mean "SameSite=None". With the new default being implemented by modern browsers, those cookies now default to "SameSite=Lax", which basically drops third-party cookies from non-idempotent requests. Chrome implements this default behavior as of version 84 (but slightly more permissive, as a temporary mitigation to prevent breaking sign-on flows, which explains why it works with Ubuntu SSO), while Firefox has it available to test as of Firefox 69 and will make it default in the future.

1. Install firefox 79.0-1 snap from latest/beta.
2. Check "network.cookie.sameSite.laxByDefault=False" in about:config (the old default).
3. Log in to Ubuntu SSO.
4. Go to the internal grafana, delete all the site's cookies and refresh.
5. Should pass the openid dance and log-in automatically.
6. Set "network.cookie.sameSite.laxByDefault=True".
7. Delete all grafana's cookies again and refresh (maybe repeat a couple of times).
8. You're out of SSO! Need to log-in from scratch.

Curiously, other sites such as snapcraft.io and the internal sentry (which uses SAML afaict) do not seem affected. Maybe apache-openid only?

In any case, as per the new SameSite default, I believe SSO should explicitly set this attribute on its cookies. Django 3.1.x introduced full support of SameSite flag for session and csrf cookies. Older versions of Django can use this middleware: https://pypi.org/project/django-cookies-samesite/.

References:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
https://web.dev/samesite-cookies-explained/#changes-to-the-default-behavior-without-samesite

Related branches

~maxiberta/canonical-identity-provider:cookies-explicit-samesite
Daniel Manrique (community): Approve
Diff: 60 lines (+7/-2)
3 files modified
django_project/settings_base.py (+2/-0)
django_project/settings_devel.py (+3/-2)
requirements.txt (+2/-0)
Maximiliano Bertacchini (maxiberta)
summary: - Openid dance in some sites is broken with new SameSite: lax cookies by
- default in Firefox beta
+ Openid in some sites broken with new SameSite=Lax default cookie policy
+ in Firefox beta
Maximiliano Bertacchini (maxiberta)
summary: Openid in some sites broken with new SameSite=Lax default cookie policy
- in Firefox beta
+ in Firefox 79 beta
Revision history for this message
Maximiliano Bertacchini (maxiberta) wrote :

Locally reproducible with python-openid's example consumer (with this patch: https://github.com/openid/python-openid/pull/94/files).

Maximiliano Bertacchini (maxiberta)
Changed in canonical-identity-provider:
assignee: nobody → Maximiliano Bertacchini (maxiberta)
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.