[英]When posting a form from Site A to Site B, does the POST request include Site B's cookie?
It's basically an OAuth2/OIDC (IdentityServer4) problem happening when the user's browser loads Identity Service (Site A) page that FORM POSTs authorization code
and id_token
back to the relying party site (Site B). 从根本上讲,这是一个OAuth2 / OIDC(IdentityServer4)问题,当用户的浏览器将身份验证服务(站点A)页面加载到FORM POST
authorization code
和id_token
回到依赖方站点(站点B)时发生。
The relying party site (Site B) receives the FORM POST request but it doesn't have the cookies of Site B it previously placed on the user's browser, which makes the verification process failing. 依赖方站点(站点B)接收到FORM POST请求,但之前没有在用户浏览器中放置站点B的cookie,这使验证过程失败。
I have tried to set ALLOW-CROSS-ORIGIN-ACCESS header but it didn't seem to help with the FORM POST scenario (not ajax call). 我试图设置ALLOW-CROSS-ORIGIN-ACCESS标头,但它似乎对FORM POST场景(不是ajax调用)没有帮助。
In the common application of OAuth2/OIDC integration, should I not expect cookies being posted back to the relying part site (Site B) along with the authorization code
& id_token
? 在OAuth2 / OIDC集成的通用应用程序中,我不应该期望将cookie与
authorization code
和id_token
一起发送回依赖部件站点(站点B)吗? Or more commonly describing it, when FORM POSTing from Site A to Site B, should I not expect any cookies of Site B will be part of the request to Site B? 或更笼统地描述它,当从站点A到站点B的表单发布时,我是否应该指望站点B的任何cookie都不属于站点B的请求?
That's not CORS, that's another issue, most likely related to Same Site Cookie Policy. 那不是CORS,那是另一个问题,最有可能与Same Site Cookie政策有关。 And that's very browser specific.
那是特定于浏览器的。
When your Site B is ASP.NET core you can either set: 当您的站点B是ASP.NET核心时,您可以设置:
services.ConfigureApplicationCookie(opts=>{opts.Cookie.SameSite = SameSiteMode.None;});
//and
app.UseCookiePolicy(new CookiePolicyOptions{MinimumSameSitePolicy = SameSiteMode.None});
(see longer discussion on ASP.NET Core github ) (请参阅有关ASP.NET Core github的详细讨论)
or use more intelligent and secure trick with switching other site to same site POST, offered by Identity Server author. 或通过将其他站点切换到Identity Server作者提供的同一站点 POST来使用更智能,更安全的技巧 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.