Enhanced Tracking Protection and expired cookies break Azure AD B2C authorization
Categories
(Core :: Privacy: Anti-Tracking, defect, P3)
Tracking
()
People
(Reporter: generica1, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
Steps to reproduce:
-
Static SPA website interactively authenticating in Azure AD B2C using Microsoft.Authentication.WebAssembly.Msal library (I guess MSAL.js would be the same)
-
At the moment I can't share affected public website
-
Azure Function Backend APIs protected by the same AAD B2C domain
-
Successful login through Signin/Signup B2C flow with popup to myb2ctenant.b2clogin.com and redirect to blazorapp.xx.web.core.windows.net/authentication/login-callback
-
Disabling Enhanced Tracking Protection by clicking the toggle in the shield panel next to the address bar fixes the problem
-
Problem arises only in current windows version, while it works on Firefox android 104.2.0 and on different browsers (Chrome, Edge)
-
I received help at https://support.mozilla.org/en-US/questions/1389319
(newbie here, I hope I'm filling enough info)
Actual results:
After successful login when navigating to authorized pages presenting api protected content ("my orders" for example) authorize response always returns error: AADB2C90077: User does not have an existing session and request prompt parameter has a value of 'None'
Steps when a protected resource is requested (after successful login):
- Ge openid configuration which sets an expired cookie (note year 2012 and SameSite=None)
GET /myb2ctenant.onmicrosoft.com/b2c_1_sinsup/v2.0/.well-known/openid-configuration
Set-Cookie: x-ms-cpim-trans=; domain=myb2ctenant.b2clogin.com; expires=Fri, 14-Sep-2012 13:00:12 GMT; path=/; SameSite=None; secure; HttpOnly
(response body with openid-configuration)
- FF registers warnings in console
Cookie “x-ms-cpim-trans” has been rejected because it is already expired
- Token request for api
GET /myb2ctenant.onmicrosoft.com/b2c_1_sinsup/oauth2/v2.0/authorize?response_type=token&scope=
Expected results:
Authorize request should work returning state and scoped token and next call to protected api should contain valid header "authorization: Bearer xxxxx" injected by MSAL
This authorization case, passing through official Azure AD B2C flows, should not be strictly considered a third-party (as it's mandatory and stays at the core of B2C authentication concept in general) and should not be compared to what's explained here:
https://support.mozilla.org/en-US/kb/introducing-total-cookie-protection-standard-mode
|
||
Comment 1•3 years ago
|
||
Thanks for reporting, it looks like the token request is under a different site than the top-level domain(the domain on the URL bar). So, it's considered a third-party request, and its cookies were partitioned.
You can check if it's the case by setting partition exemption pref privacy.restrict3rdpartystorage.skip_list with the format (top-level domain),(third-party domain), such as https://example.com,https://third.party.com. The pref will unpartition the third-party domain under the given top-level domain, so if the page starts working after setting this pref, it means partitioning the third-party domain causing this issue. Note that you will need to refresh the page to make the pref work. We are interested to see if this fixes the issue.
To further diagnose the issue, we need to know the auth behavior, such as the URLs that were opened during the login process, including the URLs in the auth popup. Also, the URLs of the third-party token request. It would be even better if you can provide us with a testing page to inspect the login process directly. If you feel uncomfortable sharing it with us publicly, you can email us with all details.
Thank you for your help.
I confirm that now It works leaving ETP ON for my site and editing suggested skip list in this way (<MY APP Url>,<B2C LOGIN POPUP Url domain>):
https://blazorapp.xx.web.core.windows.net,https://myb2ctenant.b2clogin.com
Login auth behavior is as follows:
followed by popup URL
https://myb2ctenant.b2clogin.com/myb2ctenant.onmicrosoft.com/b2c_1_sinsup/oauth2/v2.0/authorize?response_type=id_token&scope=openid profile&client_id=.....
Token request executes same openid-configuration request as before followed by authorized token request:
Customer don't want to share actual website to the public currently, if provided info are not enough please let me know how I can give you more details.
Thanks
|
||
Updated•3 years ago
|
|
|
||
Comment 3•3 years ago
|
||
Sorry for the late response.
The skip list suggests that the login domain needs to have first-party storage access under your app domain. So, the ideal solution here would be to use StorageAccess API to request storage access in this case. Given that you will open a popup, I assume there is a user interaction(click a button) involved in your login process. So, you can request storage access with the user interaction for the login domain(note that the Storage Access API has to be called inside an iframe of the login domain). Once the storage access is granted, it should be working.
Feel free to reach out to us if you have any further questions regarding using Storage Access API.
|
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
Description
•