Any workadounds for Safari ITP issue with transaction cookie when using express-openid-connect?

Help
,
1

We have faced issue which seems to be related to Safari’s Intelligent Tracking Protection functionality when using express-openid-connect library.

Safari may drop the transaction cookie auth_verification when browser is redirected back to the client backend callback route in authorization code flow. The redirect from the oidc provider back to site is considered “cross-site” redirect and Safari in some occasions may decide to omit the otherwise valid 1st party auth_verification cookie.

This result to BadRequestError: checks.state argument is missing error.

Is there any workaround for this when using express-openid-connect?

It seems that implementing the custom session store (e.g. Redis) would not help as the transaction cookie is still used. Or have we understood this incorrectly?

Notes:

Our login page and the site share the same top-level domain e.g. https://site.company.com redirects to https://login.company.com.

We are using response_type: code and response_mode: query at site using express-openid-connect.

3

Hi @mhautala!

I recommend reviewing our doc Troubleshoot Renew Tokens When Using Safari! There’s a section for workarounds you can take a look at :slight_smile:

Additionally, please see this Community article discussing this Safari ITP issue: Using Auth0 in Safari with ITP Enabled

Please let me know if you have any additional questions after reviewing those links!

Best,

Mary Beth

4

We are not using iframes or any kind of silent authentication. The issue happens in the callback (step 5.) of the normal redirect based authorization code flow where Safari drops the transaction cookie which express-openid-connect libary sets and needs in the callback handling:

These ITP debug tips should be helpful though:

1 Like
5

This was a combination of configuration and user error :man_facepalming:

Our site was not redirecting http → https and the user not noticing this (until now).

So the authorization code flow being tested was:

http://site.company.com
  -> https://login.company.com 
    -> https://site.company.com/callback

and hence the auth_verification cookie was being dropped

6

@mhautala,

Nice find! I’ve marked this as the solution to share with the rest of the Community!

Have a great week!

Thanks,

Mary Beth