Replies: 1 comment
-
|
Hello Ashley, it is important for the CSRF cookie to only be set and gettable by Ory Hydra itself and not arbitrary third-party javascript code. The latter would open the flood gates to all types of attacks, especially since the CSRF cookie itself is not cryptographically authenticated. It is thus not acceptable to change this behaviour. I have no Flutter experience, but found some things on SO which might be helpful:
In general, it is advisable to initiate OAuth2 and OpenID Connect flows in the device's primary browser, and not a webview. I understand that this is not always desireable for first parties. Unfortunately, OAuth2 is inherently a third party protocol and thus using these protocols in first-party environments is often bumpy. See also: https://www.ory.sh/hydra/docs/concepts/before-oauth2 |
Beta Was this translation helpful? Give feedback.
-
Hi,
We would like to be able to edit the CSRF oauth2_authentication_csrf cookie not to have the HTTPOnly property.
As CSRF attacks are generally much better mitigated via http-header but also complexify CORS configuration, we understand the CSRF validation in cookie chosen by Hydra. However this forces instanciating a full cookie web handling stack for cross-platform frameworks like Flutter in web or not work at all.
Context :
We are integrating flutter-web with Hydra and Kratos to emit our OAuth2 tokens.
However, it seems to be fairly problematic to handle HTTPonly cookies in Flutter-Web.
We have to complexify the implementation for a full browser handler for just that aspect of the cookie management instead of a simple stateful HTTP one where we pick up and resend the cookie.
We are specifically talking about the initial Oauth2 set-cookie :
set-cookie: oauth2_authentication_csrf=MTYyOTkxOTQyOXxEdi1CQ==; Path=/; HttpOnly; Secure; SameSite=StrictConclusion :
Would it be possible to make a PR to make only the HTTPOnly part configurable ? The secure part can be kept but it does force HTTPS use even locally and in dev/stg environments.
Beta Was this translation helpful? Give feedback.
All reactions