I have recently stumbled across a bug in iOS 12 preview which sort of breaks existing sites which make use of OpenID Connect middleware in ASP.NET Core 2.1.
As iOS is coming closer to release, I decided to install it on my iPad for testing. After trying to access some our company’s internal sites I always ended up in a redirect loop – basically AAD > site > AAD > site etc. – unending.
After doing some research and borrowing my friend’s MacBook for debugging the browser in iOS – I noticed that the browser was not persisting cookies from our site. After going a bit further, I also tried other sites – Microsoft’s https://admin.teams.microsoft.com for example which ended up with the same issue.
After that, I have done some research with the cookie configuration and the result has surfaced – the SameSite policy in Cookie Authentication middleware! The default configuration of Cookie Authentication’s cookie is setting it to lax which means that the browser will not accept cookies from the site if it was redirected by POST request to it.
SameSite policy is another measure at the browser’s level to fight CSRF attacks. So now since we have the root cause, what can we do about it?
In order for your ASP.NET Core 2.1 application to work with iOS 12, you need to configure CookiePolicyOptions along with the Cookie.SameSite policy as well:
So far, I haven’t heard back from them yet, however this issue is still present in iOS 12 Developer Preview 11 as of now. I am going to update this post if new info becomes available.
You can alternatively set the response mode to send the response in the query instead of the post body like so:
Just beware that with this solution you won’t receive the user’s id_token directly and if you are using ADAL to redeem the authorization code for tokens, you might run into issues.