OidcCookie should be using SameSite=LAX instead of SameSite=STRICT.
A redirect from OAuth provider to gateway will cause the cookie being blocked when SameSite=STRICT.
(See https://stackoverflow.com/a/42220786)
The tests missed this issue because Dropwizard ignored the SameSite setting and didn't set it at all (looks like a bug). I discovered this issue when I was testing it on Airlift.
Description
OidcCookie should be using
SameSite=LAX
instead ofSameSite=STRICT
. A redirect from OAuth provider to gateway will cause the cookie being blocked whenSameSite=STRICT
. (See https://stackoverflow.com/a/42220786)The tests missed this issue because Dropwizard ignored the SameSite setting and didn't set it at all (looks like a bug). I discovered this issue when I was testing it on Airlift.
Additional context and related issues
https://github.com/trinodb/trino-gateway/blob/5d7e30c2fd94ac3279cd77dec5724f9904f5690a/gateway-ha/src/main/java/io/trino/gateway/ha/security/OidcCookie.java#L45
SameSite
is missing:Release notes
(x) This is not user-visible or is docs only, and no release notes are required.