fix: set sameSite=lax on cookies (#319)

CHANGELOG.md

@@ -1,5 +1,11 @@
 # Changelog
 
+## 2.12.1
+
+### Bug Fixes
+
+- [#319](https://github.com/okta/okta-auth-js/pull/319) - Setting 'SameSite=lax' for all cookies (Fix for Firefox/Safari)
+
 ## 2.12.0
 
 ### Features

packages/okta-auth-js/lib/browser/browserStorage.js

@@ -70,7 +70,7 @@ storageUtil.getSessionStorage = function() {
 storageUtil.getCookieStorage = function(options) {
   options = options || {};
   var secure = options.secure; // currently opt-in
-  var sameSite = options.sameSite || 'strict'; // token storage should only be accessed by javascript
+  var sameSite = options.sameSite || 'lax';
   return {
     getItem: storageUtil.storage.get,
     setItem: function(key, value) {

packages/okta-auth-js/lib/token.js

@@ -644,17 +644,17 @@ function getWithRedirect(sdk, oauthOptions, options) {
         urls: urls,
         ignoreSignature: oauthParams.ignoreSignature
       }), null, {
-        sameSite: 'strict' // accessed by javascript in parseFromUrl()
+        sameSite: 'lax'
       });
 
       // Set nonce cookie for servers to validate nonce in id_token
       cookies.set(constants.REDIRECT_NONCE_COOKIE_NAME, oauthParams.nonce, null, {
-        sameSite: 'lax' // accessed by server from redirect
+        sameSite: 'lax'
       });
 
       // Set state cookie for servers to validate state
       cookies.set(constants.REDIRECT_STATE_COOKIE_NAME, oauthParams.state, null, {
-        sameSite: 'lax' // accessed by server from redirect
+        sameSite: 'lax'
       });
 
       sdk.token.getWithRedirect._setLocation(requestUrl);

packages/okta-auth-js/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@okta/okta-auth-js",
   "description": "The Okta Auth SDK",
-  "version": "2.12.0",
+  "version": "2.12.1",
   "homepage": "https://github.com/okta/okta-auth-js",
   "license": "Apache-2.0",
   "main": "lib/server/serverIndex.js",

packages/okta-auth-js/test/spec/oauthUtil.js

@@ -252,7 +252,7 @@ describe('getWellKnown', function() {
         }),
         '2200-01-01T00:00:00.000Z',
         {
-          sameSite: 'strict'
+          sameSite: 'lax'
         }
       );
     }

packages/okta-auth-js/test/spec/token.js

@@ -1237,7 +1237,7 @@ describe('token.getWithRedirect', function() {
             ignoreSignature: false
           }),
           null, {
-            sameSite: 'strict'
+            sameSite: 'lax'
           }
         ],
         nonceCookie,
@@ -1278,7 +1278,7 @@ describe('token.getWithRedirect', function() {
             ignoreSignature: false
           }),
           null, {
-            sameSite: 'strict'
+            sameSite: 'lax'
           }
         ],
         nonceCookie,
@@ -1323,7 +1323,7 @@ describe('token.getWithRedirect', function() {
             ignoreSignature: false
           }),
           null, {
-            sameSite: 'strict'
+            sameSite: 'lax'
           }
         ],
         nonceCookie,
@@ -1361,7 +1361,7 @@ describe('token.getWithRedirect', function() {
             ignoreSignature: false
           }),
           null, {
-            sameSite: 'strict'
+            sameSite: 'lax'
           }
         ],
         nonceCookie,
@@ -1404,7 +1404,7 @@ describe('token.getWithRedirect', function() {
             ignoreSignature: false
           }),
           null, {
-            sameSite: 'strict'
+            sameSite: 'lax'
           }
         ],
         nonceCookie,
@@ -1441,7 +1441,7 @@ describe('token.getWithRedirect', function() {
             ignoreSignature: false
           }),
           null, {
-            sameSite: 'strict'
+            sameSite: 'lax'
           }
         ],
         nonceCookie,
@@ -1483,7 +1483,7 @@ describe('token.getWithRedirect', function() {
             ignoreSignature: false
           }),
           null, {
-            sameSite: 'strict'
+            sameSite: 'lax'
           }
         ],
         nonceCookie,
@@ -1520,7 +1520,7 @@ describe('token.getWithRedirect', function() {
             ignoreSignature: false
           }),
           null, {
-            sameSite: 'strict'
+            sameSite: 'lax'
           }
         ],
         nonceCookie,
@@ -1561,7 +1561,7 @@ describe('token.getWithRedirect', function() {
             ignoreSignature: false
           }),
           null, {
-            sameSite: 'strict'
+            sameSite: 'lax'
           }
         ],
         nonceCookie,
@@ -1604,7 +1604,7 @@ describe('token.getWithRedirect', function() {
             ignoreSignature: false
           }),
 null, {
-            sameSite: 'strict'
+            sameSite: 'lax'
           }
         ],
         nonceCookie,
@@ -1649,7 +1649,7 @@ null, {
             ignoreSignature: false
           }),
           null, {
-            sameSite: 'strict'
+            sameSite: 'lax'
           }
         ],
         nonceCookie,
@@ -1687,7 +1687,7 @@ null, {
             ignoreSignature: false
           }),
           null, {
-            sameSite: 'strict'
+            sameSite: 'lax'
           }
         ],
         nonceCookie,
@@ -1729,7 +1729,7 @@ null, {
           ignoreSignature: false
         }),
         null, {
-          sameSite: 'strict'
+          sameSite: 'lax'
         }
       ],
       nonceCookie,
@@ -1769,7 +1769,7 @@ null, {
             ignoreSignature: false
           }),
           null, {
-            sameSite: 'strict'
+            sameSite: 'lax'
           }
         ],
         nonceCookie,
@@ -1805,7 +1805,7 @@ null, {
             ignoreSignature: false
           }),
           null, {
-            sameSite: 'strict'
+            sameSite: 'lax'
           }
         ],
         nonceCookie,
@@ -1841,7 +1841,7 @@ null, {
             ignoreSignature: false
           }),
           null, {
-            sameSite: 'strict'
+            sameSite: 'lax'
           }
         ],
         nonceCookie,
@@ -1877,7 +1877,7 @@ null, {
             ignoreSignature: false
           }),
 null, {
-            sameSite: 'strict'
+            sameSite: 'lax'
           }
         ],
         nonceCookie,

packages/okta-auth-js/test/spec/tokenManager.js

@@ -198,7 +198,7 @@ describe('TokenManager', function() {
         'okta-token-storage',
         JSON.stringify({'test-idToken': tokens.standardIdTokenParsed}),
         '2200-01-01T00:00:00.000Z', {
-          sameSite: 'strict'
+          sameSite: 'lax'
         }
       );
     });
@@ -221,7 +221,7 @@ describe('TokenManager', function() {
         'okta-token-storage',
         JSON.stringify({'test-idToken': tokens.standardIdTokenParsed}),
         '2200-01-01T00:00:00.000Z', {
-          sameSite: 'strict'
+          sameSite: 'lax'
         }
       );
     });
@@ -1242,7 +1242,7 @@ describe('TokenManager', function() {
           'okta-token-storage',
           JSON.stringify({'test-idToken': tokens.standardIdTokenParsed}),
           '2200-01-01T00:00:00.000Z', {
-            sameSite: 'strict'
+            sameSite: 'lax'
           }
         );
       });
@@ -1256,7 +1256,7 @@ describe('TokenManager', function() {
           JSON.stringify({'test-idToken': tokens.standardIdTokenParsed}),
           '2200-01-01T00:00:00.000Z', {
             secure: true,
-            sameSite: 'strict'
+            sameSite: 'lax'
           }
         );
       });
@@ -1295,7 +1295,7 @@ describe('TokenManager', function() {
           'okta-token-storage',
           JSON.stringify({anotherKey: tokens.standardIdTokenParsed}),
           '2200-01-01T00:00:00.000Z', {
-            sameSite: 'strict'
+            sameSite: 'lax'
           }
         );
       });
@@ -1312,7 +1312,7 @@ describe('TokenManager', function() {
           'okta-token-storage',
           '{}',
           '2200-01-01T00:00:00.000Z', {
-            sameSite: 'strict'
+            sameSite: 'lax'
           }
         );
       });