DEVHIDE
Login Or Sign up

Scope of cookies in OpenID connect

9.7k Views Asked by At

During authentication to Azure AD B2C with OpenID Connect, what is the role of cookies there? Is it necessary to use cookie? Are there implicit use of cookies in the OpenID Connect pipeline? Is there any documentation which complies with the role of cookies in OpenID Connect?

openid-connect azure-ad-b2c cookie-authentication
Original Q&A
3

There are 3 best solutions below

0
On BEST ANSWER

what is the role of cookies there?

The role of cookies is making the browser have Stateless sessions .

Put into a browser cookie the ID token can be used to implement lightweight stateless sessions. This does away with the need to store sessions on the server side (in memory or on disk), which can be quite a burden for apps that must scale well. The session cookie is checked by validating the ID token. If the token has expired the app can simply ask the OP for a new one via a silent prompt=none request.

Is it necessary to use cookie?

RECOMMENDED, Not REQUIRED. Opaque value used to maintain state between the request and the callback. Typically, Cross-Site Request Forgery (CSRF, XSRF) mitigation is done by cryptographically binding the value of this parameter with a browser cookie.

Are there implicit use of cookies in the openId connect pipeline? Is there any documentation which complies with the role of cookies in openid connect?

For more details about the cookies in OpenID Connect, you can refer to this document.(Search cookie in this website )

Hope this helps!

0
On

I wrote about enabling OIDC in ASP.NET Core 2.0 on my blog here: https://joonasw.net/view/aspnet-core-2-azure-ad-authentication.

Quote from there which talks about the responsibilities of OIDC and cookies:

Cookies is responsible for two things:

  • Signing the user in (creating the authentication cookie and returning it to the browser)
  • Authenticating cookies in requests and creating user principals from them

Cookies are not exactly part of OpenID Connect here, they are used by the app to maintain the users' sessions after they log in with OIDC.

Though they can be used to hold the nonce that is sent with the request to the identity provider. This way the app can check they match when the user is redirected back to the app.

Cookies are the most common way for Web application to know who the user is on subsequent requests.

0
On

The B2C Cookie provides the ability for the user to not have to continuously sign-in. If they just signed-in and visit the login page again they won't have to sign-in again.*

*There is a prompt parameter that can be used to always force the user to sign-in.

Related Questions in OPENID-CONNECT

Related Questions in AZURE-AD-B2C

Related Questions in COOKIE-AUTHENTICATION

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.