References
https://blog.chromium.org/2020/02/samesite-cookie-changes-in-february.html
https://www.zdnet.com/article/apple-blocks-third-party-cookies-in-safari/
Upcoming SameSite Cookie Changes in ASP.NET and ASP.NET Core - https://devblogs.microsoft.com/aspnet/upcoming-samesite-cookie-changes-in-asp-net-and-asp-net-core/
https://docs.microsoft.com/en-gb/dotnet/core/compatibility/3.0-3.1
Background
Google Chrome and Chromium started with v80 to introduce a breaking change in how SameSite
cookies are handled. The OpenID Connect protocol needs SameSite=None (and thereby also IdentityServer4 and Authority). This breaking change in behavior has been announced for quite some time and is considered important since it improves security and privacy.
It is expected that other browser also will follow and make this mandatory. It might be that Safari in iOS already has been changed, but haven’t had time to verify this yet.
Official solution - confiure cHTTPS
We’ve verified that Authority v2.0.4 is compliant with the SameSite changed outlined above.
However, since SameSite=None also requires a secure protocol, Authority has to be configured with HTTPS when communicating with the browser in order to be compliant.
If you are usin Ayfie Supervisor, configuring it to use HTTPS requires additional steps, as outlined in ayfie SSL and HTTPS Configuration
Tested with Supervisor and Authority
When enabling HTTPS in both Authority and Supervisor, we’ve tested that logon works with Chrome v80.
Workaround
It is possible to change the Chrome v80 browser setting to not require a secure protocol.
This defeats the purpose of the change, but might be something to temporarily mitigate the situation until HTTPS in enabled across the line.
Steps
In the address bar, enter
chrome://flags/.Search flag
Cookies without SameSite must be secure.Change the flag from
DefaulttoDisabled.Restart browser.
Then it works!
