OFBiz › OFBiz - Notifications

[jira] [Commented] (OFBIZ-11594) Add security.internal.sso.enabled and security.token.key SystemProperties

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

1 message

Nicolas Malin (Jira)

[jira] [Commented] (OFBIZ-11594) Add security.internal.sso.enabled and security.token.key SystemProperties

[ https://issues.apache.org/jira/browse/OFBIZ-11594?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17084092#comment-17084092 ]

Jacques Le Roux commented on OFBIZ-11594:
-----------------------------------------

Done, but as I suspected,the introduction of "the SameSite attribute set to 'strict' for all cookies" with OFBIZ-11470 prevents the internal Single Sign On feature. [It's clearly explained here|https://web.dev/samesite-cookies-explained/].

So SameSite attribute set to 'none' is necessary for the internal SSO to work (['lax' is not enough|https://github.com/whatwg/fetch/issues/769]). So if someone wants to use the internal SSO feature s/he need to also use the the CSRF token defense, if s/he waht to be safe from CSRF attacks. Unfortunately, due backporting difficulties, this option is currently only available in trunk.

An alternative would be to use the Fetch Javascript API with the {{credentials: "include"}} option [to enable CORS|https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API#Differences_from_jQuery]. [Here is an example|https://javascript.info/fetch-crossorigin#credentials]

For those interested here is more information about [the Fetch standard|https://fetch.spec.whatwg.org/#http-cors-protocol] and a good comparison with what we currently use in https://stackoverflow.com/questions/57518225/sec-fetch-mode-instead-of-preflight

Also more for information the [Sec-Fetch-Site header seems interesting|https://www.w3.org/TR/fetch-metadata/#sec-fetch-site-header]
https://www.chromestatus.com/feature/5155867204780032

And while at it the [Cross-Origin Resource Policy (CORP)|https://developer.mozilla.org/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy_(CORP)] is also interesting

And last but not least, I guess you know that since [2020-04-08 Chrome defaults cookies to SameSite=Lax|https://www.chromestatus.com/feature/5088147346030592]

> Add security.internal.sso.enabled and security.token.key SystemProperties
> -------------------------------------------------------------------------
>
> Key: OFBIZ-11594
> URL: https://issues.apache.org/jira/browse/OFBIZ-11594
> Project: OFBiz
> Issue Type: Improvement
> Components: example, framework
> Affects Versions: Trunk
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Trivial
>
> This comes handy when testing, from examples component, the internal Single Sign On feature which allows a token based login between OFBiz instances

--
This message was sent by Atlassian Jira
(v8.3.4#803005)