I'm using identity server 4 and I have set cookiePolicy like:
in startup.cs
var cookiePolicyOptions = new CookiePolicyOptions
{
MinimumSameSitePolicy = Microsoft.AspNetCore.Http.SameSiteMode.None,
HttpOnly = Microsoft.AspNetCore.CookiePolicy.HttpOnlyPolicy.None,
Secure = CookieSecurePolicy.Always,
};
and next:
app.UseCookiePolicy(cookiePolicyOptions);
I have also react application to authorize User in ID4. I am using Implicit Flow. When User is in normal mode everything's ok.
But when User is using private mode then the sign in window is not appear. sign in window
When in Google Chrome settings, Block thirty part cookies is set to Allow in private mode then everything is OK.
In case when application is running on localhost without https there is ok in both mode. The problem starts when application is on server with Https certificate.
I found a lot of information but still don't know if I Can do something to allow to set cookies in private mode during authorization?
Let me know if I should provide more information ;)
My problem was that I set sameSite=none
It's mean that my IdentityServer has different domain name than my web client.
I have changed to sameSite=Lax -it's mean that Identity and WebClient has the same domain name- but I needed to change also on my IIS binding to the same domain name for Identity Server on port: 8443 Site and Web client site. (before that two domain names was different)
In this case chrome is not blocking cookies as thirty part cookie and allow set idsrv.external cookie in browser in incognito mode also.
