breakfix: samesite strict makes redirect wrong

[Gunni]

Describe the issue

When samesite is set to strict, the redirect back is wrong despite authentication being successful.

https://login.microsoftonline.com/kmsi (status 200) redirects me to https://subdomain.example.com/auth/saml/azure (status 303)

https://subdomain.example.com/auth/saml/azure (status 303) redirects me to https://subdomain.example.com/auth/portal (status 302)

https://subdomain.example.com/auth/portal (status 302) redirects me to https://subdomain.example.com/auth/login (status 200) where I end up

If the user then modifies the url to go to https://subdomain.example.com/ or https://subdomain.example.com/auth/whoami he can observe that he is actually authenticated despite the redirect being wrong.

But without samesite strict, f.ex lax, i stop on /auth/portal

Expected behavior

I am using subdomain.example.com, it should just work despite samesite being strict, right?

[greenpau]

@Gunni , could it be that you have redirect url configured for your azure enterprise application?

[Gunni]

@Gunni , could it be that you have redirect url configured for your azure enterprise application?

Yes I believe it is set to https://subdomain.example.com/auth/saml/azure, which I would expect would redirect to https://subdomain.example.com/auth/portal or https://subdomain.example.com/, right?