-
|
I'm having a strange issue using Safari 18.3.1 on a Mac (Ventura 13.7.4). I'm self-hosting Ory 2.3.0 in Docker with a Loadbalancer terminating HTTPS in front. On all other browsers, my standard login flow works just fine:
For some reason on Safar, after submitting credentials on the Login and Consent app, in the web traffic logs I can see that Hydra directed the browser to the consent page, and the Safari browser processed the consent page and gets the 302 (though I never see that in my developer toolbar in Safari) and Hydra then returns the 302 to the post login redirect callback. However, the RP never sees the callback get hit, and in my Safari browser, it seems to just 'hang' on the login form. The developer toolbar never even shows the POST of the login form even though it did POST. I have heard about issues like ITP on Safari but I already have unchecked the 'Prevent cross-site-tracking' checkbox in Safari and it hasn't helped. My RP is on a different domain to the OP. The Content Security Policy header on the Login and Consent app accepts My Login and Consent app sets a session, it is flagged Secure, HttpOnly and is SameSite: Lax. This is a standard 'authorization_code' flow. The same site/flow works fine on Chrome and Firefox. I am not using any iframes. I feel like I've ruled out a lot of things, but I can't figure out the problem. What haven't I tried? Has anyone else experienced issues with Safari in this way where it acts as if it isn't following the redirects (even though the web traffic logs on the other side show that it did actually hit the consent page and then Hydra and get issued a 302 response to the post-login-redirect URI?) |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
OK - this is ridiculous and embarrassing - but somehow the 'block' of following the 303 redirect from Hydra to the post-login-redirect callback of the RP, only seems to occur in Safari if I have the 'Developer Tools' open in Safari. WTF. If I don't have Developer Tools open, it just works fine. If I have it open and it is blocking the redirect, then closing the Developer Tools 'window' seems to immediately unblock the request. That is so weird. Sorry everyone, false alarm. |
Beta Was this translation helpful? Give feedback.
-
|
Safari is the IE of the 2020 decade |
Beta Was this translation helpful? Give feedback.
OK - this is ridiculous and embarrassing - but somehow the 'block' of following the 303 redirect from Hydra to the post-login-redirect callback of the RP, only seems to occur in Safari if I have the 'Developer Tools' open in Safari. WTF.
If I don't have Developer Tools open, it just works fine. If I have it open and it is blocking the redirect, then closing the Developer Tools 'window' seems to immediately unblock the request. That is so weird. Sorry everyone, false alarm.