Ensure OIDC login works in combination with SameSite strict settings of open-api-framework

[alextreme]

open-api-framework issue, raised by @sergei-maertens

SESSION_COOKIE_SAMESITE = config(
    "SESSION_COOKIE_SAMESITE",
    "Strict",
    help_text=(
        "The value of the SameSite flag on the session cookie. This flag prevents the "
        "cookie from being sent in cross-site requests thus preventing CSRF attacks and "
        "making some methods of stealing session cookie impossible."
    ),
)

This doesn't work well with Google OIDC (and likely Azure since someone else was running into similar issues). It needs to be set to "Lax". Note that this probably not a problem as soon as you are logged in to google, keycloak can then re-use the existing google session, but for the first login, shit breaks

Suggested workaround: set the session cookie to 'lax' during the oidc login-flow using a custom middleware in mozilla-django-oidc-db, and revert it back to 'strict' afterwards

[sergei-maertens]

Workaround being tested/applied here: https://github.com/GeneriekPublicatiePlatformWoo/registratie-component/pull/29

[alextreme]

@Coperh discussed with Sergei and please set the default to Lax for now, this should be sufficient for the AMS issue (as the complaint was that SameSite wasn't set)

[joeribekker]

All components that use the latest OAf will not work with OIDC due to this. Currently:

• Open Zaak https://github.com/open-zaak/open-zaak/pull/1772
• Open Notifications https://github.com/open-zaak/open-notificaties/pull/190
• Objects API https://github.com/maykinmedia/objects-api/pull/458
• Objecttypes https://github.com/maykinmedia/objecttypes-api/pull/131

Apply workaround that Sergei mentioned.