kyre6371
commented
5 months ago I had this same issue with coldfront! When diagnosing the problem, I was catching http requests. It gets the code and state that is used to get the access token. so if you get the code and state, you can paste it into the url like: https://my-url/oidc/callback/?code=<code>&state=<state>and it would log in every time. Not very practical.
I've messaged the coldfront team on slack about this as well. I thought it was an ssl issue for a while. Thanks for posting this.
Timost
Hi, I don't know if this is really a mozzila-djano-oidc issue, or an django issue, but I've just been configuring an RP for google OIDC. I found that my client (chromium and firefox) were not transmitting the django sessionid cookie to the callback url because it has SameSite=Strict (and the calling url was google.com). The result was the mozilla-django-oidc couldn't get the oidc_claims from the session.
I "fixed" the problem by setting SESSION_COOKIE_SAMESITE='Lax' in config/auth.py so that the sessionid was transmitted.
I wonder whether a) anyone else has experienced this b) I'm doing something hideously wrong and that's why no one else seems to have hit this problem
For context I'm actually using an application called coldfront which is subclassing OIDCAuthenticationBackend, I'm on django 3.2.17 and mozilla-django-oidc 3.0.0 and chromium 114.0.5735.106 with a google OIDC provider. I suspect this will affect anyone using mozilla-django-oidc where the OIDC Provider and RP are not on the same domain (eg using google for the provider for an RP on your own domain)
Thanks for you time ;-)