[jira] [Commented] (OFBIZ-11594) Add security.internal.sso.enabled and security.token.key SystemProperties

Jacques Le Roux (Jira) Wed, 15 Apr 2020 06:38:27 -0700


    [ 
https://issues.apache.org/jira/browse/OFBIZ-11594?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17084092#comment-17084092
 ]


Jacques Le Roux commented on OFBIZ-11594:
-----------------------------------------

Done, but as I suspected,the introduction of "the SameSite attribute set to 
'strict' for all cookies" with OFBIZ-11470 prevents the internal Single Sign On 
feature. [It's clearly explained 
here|https://web.dev/samesite-cookies-explained/].

So SameSite attribute set to 'none' is necessary for the internal SSO to work 
(['lax' is not enough|https://github.com/whatwg/fetch/issues/769]). So if 
someone wants to use the internal SSO feature s/he need to also use the the 
CSRF token defense, if s/he waht to be safe from CSRF attacks. Unfortunately, 
due backporting difficulties, this option is currently only available in trunk.

An alternative would be to use the Fetch Javascript API with the {{credentials: 
"include"}} option [to enable 
CORS|https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API#Differences_from_jQuery].
 [Here is an example|https://javascript.info/fetch-crossorigin#credentials]

For those interested here is more information about [the Fetch 
standard|https://fetch.spec.whatwg.org/#http-cors-protocol] and a good 
comparison with what we currently use in 
https://stackoverflow.com/questions/57518225/sec-fetch-mode-instead-of-preflight

Also more for information the [Sec-Fetch-Site header seems 
interesting|https://www.w3.org/TR/fetch-metadata/#sec-fetch-site-header]
https://www.chromestatus.com/feature/5155867204780032

And while at it the [Cross-Origin Resource Policy 
(CORP)|https://developer.mozilla.org/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy_(CORP)]
  is also interesting

And last but not least, I guess you know that since [2020-04-08 Chrome defaults 
cookies to SameSite=Lax|https://www.chromestatus.com/feature/5088147346030592]

> Add security.internal.sso.enabled and security.token.key SystemProperties
> -------------------------------------------------------------------------
>
>                 Key: OFBIZ-11594
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-11594
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: example, framework
>    Affects Versions: Trunk
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Trivial
>
> This comes handy when testing, from examples component, the internal Single 
> Sign On feature which allows a token based login between OFBiz instances



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (OFBIZ-11594) Add security.internal.sso.enabled and security.token.key SystemProperties

Reply via email to