Move access/refresh tokens to secure cookies (#20779)

* feat: adds the `credentials: include` header to all manual requests * feat: adds `credentials: include` as a configurable option to xhr requests (and sets it by default to true) * feat: configures the auto-generated fetch client from hey-api to include credentials by default * Add OpenIddict handler to hide tokens from the back-office client * Make back-office token redaction optional (default false) * Clear back-office token cookies on logout * Add configuration for backoffice cookie settings * Make cookies forcefully secure + move cookie handler enabling to the BackOfficeTokenCookieSettings * Use the "__Host-" prefix for cookie names * docs: adds documentation on cookie settings * build: sets up launch profile for vscode with new cookie recommended settings * docs: adds extra note around SameSite settings * docs: adds extra note around SameSite settings * Respect sites that do not use HTTPS * Explicitly invalidate potentially valid, old refresh tokens that should no longer be used * Removed obsolete const --------- Co-authored-by: Jacob Overgaard <752371+iOvergaard@users.noreply.github.com>
2025-11-13 08:19:42 +01:00
parent c295271757
commit 49ba89c22a
15 changed files with 309 additions and 8 deletions
--- a/.github/BUILD.md
+++ b/.github/BUILD.md
@@ -37,7 +37,7 @@ In order to work with the Umbraco source code locally, first make sure you have

 ### Familiarizing yourself with the code

-Umbraco is a .NET application using C#. The solution is broken down into multiple projects.  There are several class libraries. The `Umbraco.Web.UI` project is the main project that hosts the back office and login screen. This is the project you will want to run to see your changes.
+Umbraco is a .NET application using C#. The solution is broken down into multiple projects. There are several class libraries. The `Umbraco.Web.UI` project is the main project that hosts the back office and login screen. This is the project you will want to run to see your changes.

 There are two web projects in the solution with client-side assets based on TypeScript, `Umbraco.Web.UI.Client` and `Umbraco.Web.UI.Login`.

@@ -73,13 +73,20 @@ Just be careful not to include this change in your PR.

 Conversely, if you are working on front-end only, you want to build the back-end once and then run it. Before you do so, update the configuration in `appSettings.json` to add the following under `Umbraco:Cms:Security`:

-```
+```json
 "BackOfficeHost": "http://localhost:5173",
 "AuthorizeCallbackPathName": "/oauth_complete",
 "AuthorizeCallbackLogoutPathName": "/logout",
-"AuthorizeCallbackErrorPathName": "/error"
+"AuthorizeCallbackErrorPathName": "/error",
+"BackOfficeTokenCookie": {
+  "Enabled": true,
+  "SameSite": "None"
+}
 ```

+> [!NOTE]
+> If you get stuck in a login loop, try clearing your browser cookies for localhost, and make sure that the `BackOfficeTokenCookie` settings are correct. Namely, that `SameSite` should be set to `None` when running the front-end server separately.
+
 Then run Umbraco from the command line.

 ```
--- a/.github/copilot-instructions.md
+++ b/.github/copilot-instructions.md
@@ -110,7 +110,11 @@ Use this for frontend-only development with hot module reloading:
   "BackOfficeHost": "http://localhost:5173",
   "AuthorizeCallbackPathName": "/oauth_complete",
   "AuthorizeCallbackLogoutPathName": "/logout",
-   "AuthorizeCallbackErrorPathName": "/error"
+   "AuthorizeCallbackErrorPathName": "/error",
+   "BackOfficeTokenCookie": {
+     "Enabled": true,
+     "SameSite": "None"
+   }
   ```
 2. Run backend: `cd src/Umbraco.Web.UI && dotnet run --no-build`
 3. Run frontend dev server: `cd src/Umbraco.Web.UI.Client && npm run dev:server`