top | item 23342653

(no title)

cremp | 5 years ago

It should be noted that SameSite was broken with Google Sign-in because Google themselves never set the None attribute before they reverted the rollout in April. [0]

This is a killer for all federated login systems.

[0] https://github.com/google/google-api-javascript-client/issue...

discuss

anderspitman|5 years ago

Can you recommend a good article that gives an overview of the issue? I'm not really familiar with how SSO is implemented and why SameSite breaks it.

cremp|5 years ago

Samesite won't break it if you set it none. Eg samesite=none Google failed to set it before the official rollout.

Reason is that sso effectively uses an iframe or popup to a 3rd party auth provider (Google, Microsoft, Auth0...) Provider saves a cookie with that state (from something like accounts.google.com) and usually reads it back from first party context.

If samesite is not set to none, supporting browsers are not allowed to write cookies on the auth domain from the firstparty context, and so the firstparty scripts don't think it ever happened, even though it did. First party scripts can't read it and so sso failed.