fix: allow oauth_state token to be cross-domain (#40)

External OIDC providers won’t work with the current setup.
2026-02-25 20:04:55 +01:00 · 2025-01-12 13:27:06 -08:00
parent 51f6391ded
commit 9a12dab600
1 changed files with 2 additions and 1 deletions
--- a/internal/api/v1/auth/oidc.go
+++ b/internal/api/v1/auth/oidc.go
@@ -60,7 +60,8 @@ func OIDCLoginHandler(w http.ResponseWriter, r *http.Request) {
 		Value:    state,
 		MaxAge:   300,
 		HttpOnly: true,
-		SameSite: http.SameSiteStrictMode,
+		SameSite: http.SameSiteNoneMode,
+		Secure:   true,
 		Path:     "/",
 	})