Hi,
Can anyone advice on how to set SameSite=None for hydra’s cookies?
Regards,
D
2 Likes
I am guessing you’re talking about this:
Yes michaeld,
Is it possible to set SameSite=None for oauth2_authentication_csrf, oauth2_authentication_session and oauth2_consent_csrf cookies given that default value for SameSite is going to be Lax rather than None for Chrome and other browsers too.
Not yet but it would be a good idea to make this configurable. I think that strict will break all iframe-related flows with OpenID Connect so be aware of that!
I also need support for this. I have changes on a side branch to support configuration for it and should be able to open a PR tomorrow with the changes.
2 Likes
Sounds good!