从站点A向站点B发布表单时，POST请求是否包括站点B的cookie？

Question

It's basically an OAuth2/OIDC (IdentityServer4) problem happening when the user's browser loads Identity Service (Site A) page that FORM POSTs authorization code and id_token back to the relying party site (Site B).

The relying party site (Site B) receives the FORM POST request but it doesn't have the cookies of Site B it previously placed on the user's browser, which makes the verification process failing.

I have tried to set ALLOW-CROSS-ORIGIN-ACCESS header but it didn't seem to help with the FORM POST scenario (not ajax call).

In the common application of OAuth2/OIDC integration, should I not expect cookies being posted back to the relying part site (Site B) along with the authorization code & id_token ? Or more commonly describing it, when FORM POSTing from Site A to Site B, should I not expect any cookies of Site B will be part of the request to Site B?

Answer 1

That's not CORS, that's another issue, most likely related to Same Site Cookie Policy. And that's very browser specific.

When your Site B is ASP.NET core you can either set:

services.ConfigureApplicationCookie(opts=>{opts.Cookie.SameSite = SameSiteMode.None;});
//and
app.UseCookiePolicy(new CookiePolicyOptions{MinimumSameSitePolicy = SameSiteMode.None});

(see longer discussion on ASP.NET Core github )

or use more intelligent and secure trick with switching other site to same site POST, offered by Identity Server author.