GithubHelp home page GithubHelp logo

Comments (1)

linianhui avatar linianhui commented on July 17, 2024

还没验证,理论上是有影响的。影响主要分为两部分:

1. 默认值从None改为Lax造成的影响

1.1 form_post方式提交idtoken给RP时,浏览器无法发送认证开始时RP记录下来的cookie,比如nonce。
1.2 前端使用iframe做checksession,无法发送OP自己维持登录所需的cookie,导致check失败。
1.3 front channel logout时使用iframe来调用其他的RP退出时无法发送RP自身所需的cookie。

这三个都是OIDC协议中规定使用的form_post和iframe。其中1.1影响最大,这个是在认证阶段用form_post给RP返回信息时,理论上可以通过换成querystring的方式为绕过去。1.2是当你使用session management时。1.3的影响最小,发生在front channel logout阶段。

最简单的解决办法那就是设置成None,同时启用HTTPS。但是也会但来下面一个问题。

2. 旧的一些浏览器不支持None,当成Strict来处理造成的影响。

这个影响就和我们的应用无关了,但是这个影响却是最恶心人的,没太好的处理办法,只能探测user agent来动态调整set-cookie时要不要设置Samesite=None。

以上纯粹是理论上的影响,我这边也没实际去验证。

from example-oidc.

Related Issues (7)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.