There is a way, explored by Brock Allen, to use sameSite: "Strict" for the session cookie while using OAuth2 redirects for login.
I prototyped it some, and I used the OAuth state to store the session, but that's probably not ideal. Even when POSTing back to the callback. For the final success or failure redirects, I used the redirectHtml function shown below and that worked well. It allowed the final isAuthorized page to use the strict session cookies as normal.
The final part needed is probably to do the same for the incoming callback. That is, to store the information from the callback into a cookie, then perform an HTML redirect to pick up the session cookies and continue from there.
export function redirectHtml(url: string, init: number | ResponseInit = {}) {
let responseInit = init;
if (typeof responseInit === "number") {
responseInit = {
status: responseInit,
};
}
let headers = new Headers(responseInit.headers);
if (!headers.has("Content-Type")) {
headers.set("Content-Type", "text/html; charset=utf-8");
}
const body = `<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<meta http-equiv="refresh" content="0;url=${url}" />
</head>
</html>`;
return new Response(body, { ...responseInit, headers });
}
bitofbreeze
commented
4 weeks ago
There is a way, explored by Brock Allen, to use
sameSite: "Strict"for the session cookie while using OAuth2 redirects for login.I prototyped it some, and I used the OAuth state to store the session, but that's probably not ideal. Even when POSTing back to the callback. For the final success or failure redirects, I used the
redirectHtmlfunction shown below and that worked well. It allowed the final isAuthorized page to use the strict session cookies as normal.The final part needed is probably to do the same for the incoming callback. That is, to store the information from the callback into a cookie, then perform an HTML redirect to pick up the session cookies and continue from there.