question

CarolLai-5934 avatar image
0 Votes"
CarolLai-5934 asked LokiMutua-5762 commented

How to mark the cookie from AAD B2C to be secure?

Our app service uses custom policy to log in through AAD B2C and receive the authentication from it. Since it's a cross-site cookie, we need to mark it SameSite=None with the Secure attribute,

I read that AAD B2C supports this attribute based on the following document.
https://docs.microsoft.com/en-us/azure/active-directory-b2c/cookie-definitions

How to configure this cookie from AAD B2C with the secure attribute?

azure-ad-b2c
· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@CaroLai-5934, thank you for reaching out to us. Here is Handle SameSite cookie changes in Chrome browser and here are some samples to help you. Let me know if this works for you.


0 Votes 0 ·

I followed this link you provided to modify my startup.cs.
https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/pull/261


The cookie from AAD B2C still doesn't have a secure flag set for cookie.

0 Votes 0 ·

@CarolLai-5934 , thanks for this information. Pls have a look at Enable authentication in your own web app by using Azure AD B2C and replace the ConfigureServices(IServiceCollection services) function with the following code snippet:

 public void ConfigureServices(IServiceCollection services)
 {
     services.Configure<CookiePolicyOptions>(options =>
     {
         // This lambda determines whether user consent for non-essential cookies is needed for a given request.
         options.CheckConsentNeeded = context => true;
         options.MinimumSameSitePolicy = SameSiteMode.Unspecified;
         // Handling SameSite cookie according to https://docs.microsoft.com/en-us/aspnet/core/security/samesite?view=aspnetcore-3.1
         options.HandleSameSiteCookieCompatibility();
     });
    
     // Configuration to sign-in users with Azure AD B2C
     services.AddMicrosoftIdentityWebAppAuthentication(Configuration, "AzureAdB2C");
    
     services.AddControllersWithViews()
         .AddMicrosoftIdentityUI();
    
     services.AddRazorPages();
    
     //Configuring appsettings section AzureAdB2C, into IOptions
     services.AddOptions();
     services.Configure<OpenIdConnectOptions>(Configuration.GetSection("AzureAdB2C"));

Replace the Configure function with the following code snippet:

     app.UseCookiePolicy();

Let me know if you have any follow-up questions.

0 Votes 0 ·
Show more comments

1 Answer

LokiMutua-5762 avatar image
0 Votes"
LokiMutua-5762 answered LokiMutua-5762 commented

@CarolLai-5934

Could you add this snippet in your startup.cs file under cookie options configuration and let me know if this fixes the issue.

options.Secure = CookieSecurePolicy.Always;

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Here are the codes I have tried. Nothing adds the Secure attribute to the cookie from AAD B2C.


options.MinimumSameSitePolicy = SameSiteMode.None;
options.HandleSameSiteCookieCompatibility();
options.Secure = CookieSecurePolicy.Always;


options.MinimumSameSitePolicy = SameSiteMode.Unspecified;
options.HandleSameSiteCookieCompatibility();
options.Secure = CookieSecurePolicy.Always;


options.MinimumSameSitePolicy = SameSiteMode.Unspecified;
options.HandleSameSiteCookieCompatibility();




0 Votes 0 ·

@CarolLai-5934

All Azure AD B2C cookies are carrying the SameSite, Secure, HttpOnly flags:

136212-006366c0-41fe-4b3f-af41-f8edacb5da7e.png



These flags means that the cookies from B2C are only available to the browser when sent over secure SSL Channel / HTTPS (secure) and are only available to the browsers, but not to JavaScript / Client code (HttpOnly) and are allowed by modern browsers (SameSite: none) as valid third party cookies.

So, as for Azure AD B2C as a service is fully compliant with all listed cookie options.

From B2C side, you cannot add any more cookies. These are are service cookies automatically handled by B2C.





0 Votes 0 ·