cookiesoauthopenid-connectoidc-client-jsoidc-client

OIDC js library reponse cookies are not stored and not attaching for subsequent requests


I am using authcodeflow with PKCE.

Using OIDC js library in the frontend, making calls to adfs getting an auth code and then calling my backend api. The backend api which calls adfs server get the access token and the backend api returns the token as a cookie to the frontend. I can see the cookie in response headers. but That cookie is not stored in browser and not getting added for subsequent requests. I have tried with samesite with all modes -> Lax, None,Strict and not setting. Is this an issue with OIDC js library or is it blocking the cookies to store in browser?

Update: Below are the observation with my analysis Since the OIdc-client-js does not have an option to set flag "withCredentials" to true for the requests. There are no cookies send in the request and response cookies are ignored for the cross origin requests.This changes are marked as enhancement and still not completed in thier github repo. https://github.com/IdentityModel/oidc-client-js/issues/1062

Is there any way to achieve with this library? or any other libraries for OIDC js

https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials


Solution

  • So you are issuing a cookie from an API domain that is a sibling of the WEB domain:

    POSSIBLE CAUSES FOR COOKIE BEING DROPPED

    Maybe it is the withCredentials flag or maybe due to a lack of user gesture, since the user has not done anything explicit to navigate to api.mycompany.com, such as a browser navigation or clicking a link?

    FORCING WITHCREDENTIALS

    You can override the prototype like this in order to add the withCredentials property. This is a little hacky but you could limit usage based on the URL and it should let you know whether setting withCredentials resolves your problem:

    let open = XMLHttpRequest.prototype.open;  
    XMLHttpRequest.prototype.open = function(method, url) {  
        open.apply(this, arguments);
        this.withCredentials = true;
    }  
    

    PROXYING VIA WEB DOMAIN WILL HAVE FEWER COOKIE ISSUES

    In my blog post I do something similar to proxy messages containing a refresh token. I use the web's exact domain though, rather than using an API subdomain. This will never be impacted by browser restrictions.