openid-connectazure-ad-b2ccookie-authentication

Scope of cookies in OpenID connect


During authentication to Azure AD B2C with OpenID Connect, what is the role of cookies there? Is it necessary to use cookie? Are there implicit use of cookies in the OpenID Connect pipeline? Is there any documentation which complies with the role of cookies in OpenID Connect?


Solution

  • what is the role of cookies there?

    The role of cookies is making the browser have Stateless sessions .

    Put into a browser cookie the ID token can be used to implement lightweight stateless sessions. This does away with the need to store sessions on the server side (in memory or on disk), which can be quite a burden for apps that must scale well. The session cookie is checked by validating the ID token. If the token has expired the app can simply ask the OP for a new one via a silent prompt=none request.

    Is it necessary to use cookie?

    RECOMMENDED, Not REQUIRED. Opaque value used to maintain state between the request and the callback. Typically, Cross-Site Request Forgery (CSRF, XSRF) mitigation is done by cryptographically binding the value of this parameter with a browser cookie.

    Are there implicit use of cookies in the openId connect pipeline? Is there any documentation which complies with the role of cookies in openid connect?

    For more details about the cookies in OpenID Connect, you can refer to this document.(Search cookie in this website )

    Hope this helps!