Fix OAuth error due to SameSite cookie policy (#18332)

The `oauth_state` cookie used to be created with the SameSite value set according to the `cookie_samesite` configuration. However, due to a Safari bug SameSite=None or SameSite=invalid are treated as Strict which results in "missing saved state" OAuth login failures because the cookie is not sent with the redirect requests to the OAuth provider. This commit always creates the `oauth_state` cookie with SameSite=Lax to compensate for this.

Fix OAuth error due to SameSite cookie policy (#18332)
The `oauth_state` cookie used to be created with the SameSite value set according to the `cookie_samesite` configuration. However, due to a Safari bug SameSite=None or SameSite=invalid are treated as Strict which results in "missing saved state" OAuth login failures because the cookie is not sent with the redirect requests to the OAuth provider. This commit always creates the `oauth_state` cookie with SameSite=Lax to compensate for this.
69b7b8bb · Sofia Papagiannaki · Leonard Gram · 83da3660 · 69b7b8bb
Commit 69b7b8bb authored Aug 01, 2019 by Sofia Papagiannaki Committed by Leonard Gram Aug 01, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 6 deletions

pkg/api/login_oauth.go
+6 -6

No files found.
--- a/pkg/api/login_oauth.go
+++ b/pkg/api/login_oauth.go
@@ -60,7 +60,7 @@ func (hs *HTTPServer) OAuthLogin(ctx *m.ReqContext) {
 	if code == "" {
 		state := GenStateString()
 		hashedState := hashStatecode(state, setting.OAuthService.OAuthInfos[name].ClientSecret)
-		hs.writeCookie(ctx.Resp, OauthStateCookieName, hashedState, 60)
+		hs.writeCookie(ctx.Resp, OauthStateCookieName, hashedState, 60, http.SameSiteLaxMode)
 		if setting.OAuthService.OAuthInfos[name].HostedDomain == "" {
 			ctx.Redirect(connect.AuthCodeURL(state, oauth2.AccessTypeOnline))
 		} else {
@@ -73,7 +73,7 @@ func (hs *HTTPServer) OAuthLogin(ctx *m.ReqContext) {

 	// delete cookie
 	ctx.Resp.Header().Del("Set-Cookie")
-	hs.deleteCookie(ctx.Resp, OauthStateCookieName)
+	hs.deleteCookie(ctx.Resp, OauthStateCookieName, http.SameSiteLaxMode)

 	if cookieState == "" {
 		ctx.Handle(500, "login.OAuthLogin(missing saved state)", nil)
@@ -213,11 +213,11 @@ func (hs *HTTPServer) OAuthLogin(ctx *m.ReqContext) {
 	ctx.Redirect(setting.AppSubUrl + "/")
 }

-func (hs *HTTPServer) deleteCookie(w http.ResponseWriter, name string) {
-	hs.writeCookie(w, name, "", -1)
+func (hs *HTTPServer) deleteCookie(w http.ResponseWriter, name string, sameSite http.SameSite) {
+	hs.writeCookie(w, name, "", -1, sameSite)
 }

-func (hs *HTTPServer) writeCookie(w http.ResponseWriter, name string, value string, maxAge int) {
+func (hs *HTTPServer) writeCookie(w http.ResponseWriter, name string, value string, maxAge int, sameSite http.SameSite) {
 	http.SetCookie(w, &http.Cookie{
 		Name:     name,
 		MaxAge:   maxAge,
@@ -225,7 +225,7 @@ func (hs *HTTPServer) writeCookie(w http.ResponseWriter, name string, value stri
 		HttpOnly: true,
 		Path:     setting.AppSubUrl + "/",
 		Secure:   hs.Cfg.CookieSecure,
-		SameSite: hs.Cfg.CookieSameSite,
+		SameSite: sameSite,
 	})
 }