{"id":4061,"date":"2020-01-29T11:19:31","date_gmt":"2020-01-29T18:19:31","guid":{"rendered":"https:\/\/developer.microsoft.com\/en-us\/office\/blogs\/?p=4061"},"modified":"2020-01-29T11:19:31","modified_gmt":"2020-01-29T18:19:31","slug":"impact-on-authentication-from-samesite-changes-in-chrome","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/impact-on-authentication-from-samesite-changes-in-chrome\/","title":{"rendered":"Impact on Authentication from SameSite\u00a0changes in\u00a0Chrome\u00a0"},"content":{"rendered":"<p><span data-contrast=\"auto\">Following<\/span><span data-contrast=\"auto\">\u00a0the\u00a0<\/span><span data-contrast=\"auto\">recent\u00a0<\/span><a href=\"https:\/\/tools.ietf.org\/html\/draft-west-cookie-incrementalism-00\"><span data-contrast=\"none\">updates<\/span><span data-contrast=\"none\">\u00a0<\/span><span data-contrast=\"none\">to the\u00a0<\/span><span data-contrast=\"none\">standards\u00a0<\/span><span data-contrast=\"none\">of\u00a0<\/span><span data-contrast=\"none\">SameSite<\/span><\/a><span data-contrast=\"auto\"> standards for <\/span><span data-contrast=\"auto\">cookies<\/span><span data-contrast=\"auto\">, <a href=\"https:\/\/nam06.safelinks.protection.outlook.com\/?url=https%3A%2F%2Fwww.chromium.org%2Fupdates%2Fsame-site&amp;data=02%7C01%7CLin.Jimmy%40microsoft.com%7C4caa3a0855c0427e1b9b08d7a4e98597%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637159195189810541&amp;sdata=LTMutX67QSedcefxJWDDIQl%2Fi66Fugl%2BERbDV%2F5pPqE%3D&amp;reserved=0\">Chrome is implementing changes<\/a> to the default behavior of SameSite in version 80 of the browser (releasing February 17<sup>th<\/sup>)<\/span><span data-contrast=\"auto\">. T<\/span><span data-contrast=\"auto\">hese changes <\/span><span data-contrast=\"auto\">provide<\/span> <span data-contrast=\"auto\">protection\u00a0<\/span><span data-contrast=\"auto\">for web applications <\/span><span data-contrast=\"auto\">against Cross-Site Request Forgery<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">(CSRF)<\/span><span data-contrast=\"auto\"> by restricting cookies being sent on\u00a0<\/span><span data-contrast=\"auto\">requests from other sites<\/span><span data-contrast=\"auto\">.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Web applications<\/span><span data-contrast=\"auto\">\u00a0using\u00a0<\/span><a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/develop\/v2-protocols-oidc\"><span data-contrast=\"none\">OpenID Connect<\/span><\/a> form_post flow (updated link to auth code flow which actually uses form_post) for authentication\u00a0rely on cross-domain cookies for security and these flows are likely to fail on the new version of Chrome.\u00a0Web application developers are recommended to test and update their application\u00a0code to handle SameSite property\u00a0for Chrome and other browsers.<\/p>\n<p><span data-contrast=\"auto\">You can find\u00a0<\/span><span data-contrast=\"auto\">detailed<\/span><span data-contrast=\"auto\">\u00a0information\u00a0<\/span><span data-contrast=\"auto\">on<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">the impact of\u00a0<\/span><span data-contrast=\"auto\">SameSite<\/span><span data-contrast=\"auto\">\u00a0changes<\/span><span data-contrast=\"auto\">\u00a0on authentication<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">as well as\u00a0<\/span><span data-contrast=\"auto\">the mitigations and\u00a0<\/span><span data-contrast=\"auto\">code\u00a0<\/span><span data-contrast=\"auto\">samples to handle this issue on different web platforms in<\/span><span data-contrast=\"auto\"> the article:<\/span><span data-contrast=\"auto\">\u00a0<\/span><a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/develop\/howto-handle-samesite-cookie-changes-chrome-browser?tabs=python\"><span data-contrast=\"none\">Handle\u00a0<\/span><span data-contrast=\"none\">SameSite<\/span><span data-contrast=\"none\">\u00a0cookie changes in Chrome browser<\/span><\/a><span data-contrast=\"auto\">.\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">As always,\u00a0<\/span><span data-contrast=\"auto\">please reach us<\/span><span data-contrast=\"auto\">\u00a0for support<\/span><span data-contrast=\"auto\">\u00a0through Git<\/span><span data-contrast=\"auto\">H<\/span><span data-contrast=\"auto\">ub and\u00a0<\/span><a href=\"https:\/\/stackoverflow.com\/questions\/tagged\/azure-active-directory\"><span data-contrast=\"none\">Stackov<\/span><span data-contrast=\"none\">erflow<\/span><\/a><span data-contrast=\"auto\">.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">-\u202fThe\u202fMicrosoft identity platform\u202fteam<\/span><span data-contrast=\"none\">\u202f<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Following\u00a0the\u00a0recent\u00a0updates\u00a0to the\u00a0standards\u00a0of\u00a0SameSite\u00a0property in HTTP\u00a0cookies,\u00a0Chrome has announced\u00a0changes\u00a0to the default behavior of\u00a0SameSite\u00a0in\u00a0an upcoming release\u00a0of the browser\u00a0in February.\u00a0Web application developers are recommended to\u00a0update their application\u00a0code to handle different\u00a0SameSite\u00a0properties\u00a0on Chrome and other browsers.\u00a0<\/p>\n","protected":false},"author":69081,"featured_media":25159,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5],"tags":[22],"class_list":["post-4061","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-microsoft-identity-platform","tag-azure-ad"],"acf":[],"blog_post_summary":"<p>Following\u00a0the\u00a0recent\u00a0updates\u00a0to the\u00a0standards\u00a0of\u00a0SameSite\u00a0property in HTTP\u00a0cookies,\u00a0Chrome has announced\u00a0changes\u00a0to the default behavior of\u00a0SameSite\u00a0in\u00a0an upcoming release\u00a0of the browser\u00a0in February.\u00a0Web application developers are recommended to\u00a0update their application\u00a0code to handle different\u00a0SameSite\u00a0properties\u00a0on Chrome and other browsers.\u00a0<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/posts\/4061","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/users\/69081"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/comments?post=4061"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/posts\/4061\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/media\/25159"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/media?parent=4061"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/categories?post=4061"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/tags?post=4061"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}