I’m having difficulty using OAuth2 and Microsoft’s authorization server to get an access token with a set of permissions for a user that can be used to retrieve information from the OneDrive app via Microsoft Graph.
GET the Microsoft OAuth endpoint (
redirect_uri of my secured ASP.NET endpoint. The
code id_token and the
After completing the authorization process, I get redirected to my ASP.NET endpoint with
state. The browser however is not including the
ASP.NET_SessionId cookie in the request due to its
SameSite attribute being set to
Lax. If I set the
SameSite cookie attribute to
None, the endpoint can be reached, but this is not a secure solution and only endpoints with
[AllowAnonymous] attributes can be reached.
Initiator of the last call is
oauth20_authorize.srf, which is different from other websites that typically use
document. I’m not sure if this is the right track.
Is there a secure workaround solution to this issue?