Missing request token cookie when using azure provider #436
Description
We have set azure as our provider when using bell as authentication strategy.
After registering the server strategy with server.auth.strategy we run our server. Then on front-end load, we tell the application to navigate to our login (i.e. /sso) route which uses the auth strategy registered above.
We expect to either not be authenticated or return the credentials, however, we are being thrown a CORS error. When we click on the URL which we were redirected from, we get another error stating Authentication failed due to: Missing custom request token cookie.
Now, as far as we understood this basically means that the temporary cookie which bell saves between redirects did not survive the OAuth flow. Somebody suggested that this would usually be a compatibility problem between our browser and the cookie settings we are using. We tried to fix it by setting isSameSite: 'Lax' in the settings of our strategy that uses bell. We also tried using different browsers (IE, Chrome, Firefox), however, neither of these solutions worked.
This is how the strategy looks like and we also have CORS enabled on our routes:
provider: 'azure',
config: {
tenant: config.tenant,
},
ttl: 1000 * 60 * 60 * 24,
password: config.password,
clientId: config.clientId,
clientSecret: config.clientSecret,
// isHttpOnly: true,
isSecure: false, // Should be set to true (which is the default) in production
// forceHttps: true,
isSameSite: 'Lax',
providerParams: {
response_type: 'code'
},
scope: ['openid', 'offline_access', 'profile', 'User.Read']
})
Is there a way in which we can make our server work with azure provider ?