问题
I am using the standard OIDC .NET library to make a challenge request to ADB2C. From my understanding, this automagically attempts the sign in with the refresh token in cache and gains an authorization without re-asking for credentials.
This seems to work absolutely fine, except on 1 browser - Chrome on Android. No matter what I try, this browser seems to to lose the refresh token, so after around 1 hr, it starts asking for credentials again. I have cross checked this on Chrome web/mac, edge, IE, safari, FF and they all behave as expected to maintain a constant logged in state.
Any ideas? This should be browser independent from what I understand, but maybe I'm missing a trick?
Update
This seems to be similar behaviour even when accessing a web app protected by AD. Again, Chrome loses the refresh, but other browsers are fine.
Update
I see this in Fiddler when trying to access the site after the expired token
Chrome
Set-Cookie: x-ms-cpim-csrf=XXX; domain=auth.mywebsite.com; path=/; SameSite=None; secure; HttpOnly
Edge
Set-Cookie: x-ms-cpim-sso:mytenant.onmicrosoft.com_0=XXX; domain=auth.mywebsite.com; path=/; SameSite=None; secure; HttpOnly
So yes there is a difference, but why and how to fix?
回答1:
It could be the issue with SameSite cookies in Chrome that causes he cookies to not be sent as you expect. Here's a few pointers to help you out:
- How To Prepare Your IdentityServer For Chrome's SameSite Cookie Changes - And How To Deal With Safari, Nevertheless
- Upcoming Browser Behavior Changes: What Developers Need to Know
But I think first of all you should verify if this is a SameSite issue, by using a tool like Fiddler to capture the traffic and verify that the cookies are indeed lost. Do compare in Fiddler your different browsers and see if there's some differences.
Do try to login using a incognito mode, so that you start with no cookies in the browser. Then you should see the cookies being set both by your identity provider and your application.
In Fiddler you can under the Filter tab enable the first item in the picture to flag responses that set cookies, to make it even easier to detect when cookies are set.
来源:https://stackoverflow.com/questions/63571825/adb2c-refresh-token-challenge-not-working-on-chrome-android