SameSite=Strict cookies break the oauth flow (Grant: missing session or misconfigured provider)

TL;DR do no use strict SameSite cookies.

From MDN:

Strict SameSite Cookies will only be sent in a first-party context and not be sent along with requests initiated by third party websites.

This means that the session cookie will not be sent when the oauth provider redirects to your oauth callback (.../connect/<provider>/callback) at the end of the Authorization Request.

It means that at that point grant will not be able to get the configuration information as those are stored in the session. As a result grant will redirect you to the root of your site with an Grant: missing session or misconfigured provider error, i.e. https://example.com/?error=Grant%3A%20missing%20session%20or%20misconfigured%20provider.

Using SameSite=Lax which is the default value in modern browsers solve this issue.

I thought everything was finally working until I tried to login from an incognito window.

My app is at flyxc.app Grant is mounted on oauth You can see my config and the express server on github.

So the first time I tried to authenticate, I have:

Request URL: [10ms] https://flyxc.app/oauth/google?x=85&y=24

Request URL: [215ms] https://accounts.google.com/o/oauth2/auth?client_id=754556983658-qscerk4tpsu8mgb1kfcq5gvf8hmqsamn.apps.googleusercontent.com&response_type=code&redirect_uri=https%3A%2F%2Fflyxc.app%2Foauth%2Fgoogle%2Fcallback&scope=openid%20email%20profile&state=72773a896d3aa87c33fe82ba58f25b5988b92966&nonce=247053f8ca6cd2fe238cb64e1de0ff3340395cea&code_challenge_method=S256&code_challenge=blH_5sDhwsE9-ZRoGA2fD12HT1MY-WeNr4GnoP0DiZc

Then it takes some time to enter the email, do the 2 step verification. There are a few more requests during this time:

Request URL: [28.56s] https://accounts.google.com/CheckCookie?hl=en&checkedDomains=youtube&[...]

Request URL: [28.66s] https://accounts.youtube.com/accounts/SetSID?ssdc=1&[...]

Request URL: [28.85s] https://accounts.google.com/signin/oauth/consent?authuser=0&[...]

Request URL: [29.22s] https://flyxc.app/oauth/google/callback?state=72773a896d3aa87c33fe82ba58f25b5988b92966&code=[...]&scope=email+profile+openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile&authuser=0&prompt=none

At this point grant redirect to “/”

[29.41s] https://flyxc.app/?error=Grant%3A%20missing%20session%20or%20misconfigured%20provider

Question: Why would grant ever want to redirect me to / instead of my callback (/device.html) ?

If I initiate the login again:

Request URL: [5.2m] https://accounts.google.com/o/oauth2/auth?client_id=754556983658-qscerk4tpsu8mgb1kfcq5gvf8hmqsamn.apps.googleusercontent.com&response_type=code&redirect_uri=https%3A%2F%2Fflyxc.app%2Foauth%2Fgoogle%2Fcallback&scope=openid%20email%20profile&state=31c00ed60daa1488cc348763a895c285a0692ed1&nonce=0556040886b7f73a8a16546d83795deeacee1375&code_challenge_method=S256&code_challenge=V3xFedAexGB30MY3ZUFbjdS23ghNds9lXv9h_Rf8ooI

Request URL: [5.2m] https://flyxc.app/oauth/google/callback?state=31c00ed60daa1488cc348763a895c285a0692ed1&code=[...]&scope=email+profile+openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile&authuser=0&prompt=none

And grant finally logged me in without any error:

Request URL: [5.2m] https://flyxc.app/devices.html, auth ok.

I do see the session cookie created the first time I navigate to the /oauth/google

Do you have any idea of what could wrong when grant receives the code ? Is there a timeout that could cause the issue ?

Otherwise any idea on how I can debug this ? What should I log ?

Thanks !