ADB2C refresh token challenge not working on Chrome Android

混江龙づ霸主 提交于 2021-02-20 04:53:32

问题


I am using the standard OIDC .NET library to make a challenge request to ADB2C. From my understanding, this automagically attempts the sign in with the refresh token in cache and gains an authorization without re-asking for credentials.

This seems to work absolutely fine, except on 1 browser - Chrome on Android. No matter what I try, this browser seems to to lose the refresh token, so after around 1 hr, it starts asking for credentials again. I have cross checked this on Chrome web/mac, edge, IE, safari, FF and they all behave as expected to maintain a constant logged in state.

Any ideas? This should be browser independent from what I understand, but maybe I'm missing a trick?


Update

This seems to be similar behaviour even when accessing a web app protected by AD. Again, Chrome loses the refresh, but other browsers are fine.


Update

I see this in Fiddler when trying to access the site after the expired token

Chrome

Set-Cookie: x-ms-cpim-csrf=XXX; domain=auth.mywebsite.com; path=/; SameSite=None; secure; HttpOnly

Edge

Set-Cookie: x-ms-cpim-sso:mytenant.onmicrosoft.com_0=XXX; domain=auth.mywebsite.com; path=/; SameSite=None; secure; HttpOnly

So yes there is a difference, but why and how to fix?


回答1:


It could be the issue with SameSite cookies in Chrome that causes he cookies to not be sent as you expect. Here's a few pointers to help you out:

  • How To Prepare Your IdentityServer For Chrome's SameSite Cookie Changes - And How To Deal With Safari, Nevertheless
  • Upcoming Browser Behavior Changes: What Developers Need to Know

But I think first of all you should verify if this is a SameSite issue, by using a tool like Fiddler to capture the traffic and verify that the cookies are indeed lost. Do compare in Fiddler your different browsers and see if there's some differences.

Do try to login using a incognito mode, so that you start with no cookies in the browser. Then you should see the cookies being set both by your identity provider and your application.

In Fiddler you can under the Filter tab enable the first item in the picture to flag responses that set cookies, to make it even easier to detect when cookies are set.



来源:https://stackoverflow.com/questions/63571825/adb2c-refresh-token-challenge-not-working-on-chrome-android

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!