Impact on Authentication from SameSite changes in Chrome
Following the recent updates to the standards of SameSite standards for cookies, Chrome is implementing changes to the default behavior of SameSite in version 80 of the browser (releasing February 17th). These changes provide protection for web applications against Cross-Site Request Forgery (CSRF) by restricting cookies being sent on requests from other sites.
Web applications using OpenID Connect form_post flow (updated link to auth code flow which actually uses form_post) for authentication rely on cross-domain cookies for security and these flows are likely to fail on the new version of Chrome. Web application developers are recommended to test and update their application code to handle SameSite property for Chrome and other browsers.
You can find detailed information on the impact of SameSite changes on authentication as well as the mitigations and code samples to handle this issue on different web platforms in the article: Handle SameSite cookie changes in Chrome browser.
As always, please reach us for support through GitHub and Stackoverflow.
- The Microsoft identity platform team