Feature Request: Cookie settings (HttpOnly, Secure)

Hi,

I’m using external-auth-server together with Kubernetes and Traefik v2.1. It’s really simple to configure and use.

I had, actually still have one issue which took me hours to find out why it happens exactly. In my case, I have Home-Assistant as the service which should be protected by external-auth-server. This application is a progressive web app (PWA) which means, it uses service-worker quite heavily. So, each initial authentication process was working fine (clean browser or incognito tab), because there was no Service Worker in place. After an hour (the token expired), I get redirected to Google for another sign in. But this time the final cookie cannot be set or read and the requests ends in a 503-error.

I guess the issue behind is that the two cookies’ set have the flag httpOnly. This disallows the service-worker from getting/setting the cookies. But I’m not absolutely sure whether this is the only problem. But if I tick the option Bypass for network in the Chrome debug tools, then everything is working fine.

Is there already such an option to configure which flags should be set by external-auth-server? If not, would this be a huge task? I know I will lose a bit of security by not setting this flag. But I don’t see any other possibility. On the other hand, I’m not very experienced with service-workers.

Thank you. Best Danny