Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Change SameSite=strict to SameSite=lax in default $oidc_cookie_attrs
When you click on a link in MS Teams, it opens https://statics.teams.cdn.office.net/evergreen-assets/safelinks/1/atp-safelinks.html in the browser which sends the URL and some metadata to Microsoft and if it decides that the URL is okay (and logs it because they want to spy on you...), it calls `window.location.replace()` to finally redirect you to the site you wanted to go to. The nginx module sends you a redirect to the authorization endpoint, OIDC redirects you to the callback endpoint with the authorization code which is handled by the module. It exchanges the authorization code for the id token, then sends you Set-Cookie with the session id and redirects you to the original target. And now comes the problem. Browser ignores Set-Cookie due to the SameSite policy, so the browser doesn't send the session cookie back to the nginx module. So, you're still not authenticated, thus the module redirects you to the authorization endpoint... and this repeats again and again, until the browser detects the loop and stops it.
- Loading branch information
