From 9a12dab6004fce599d4e5d7eacd64f923f58dedc Mon Sep 17 00:00:00 2001
From: Peter Olds <peter@olds.co>
Date: Sun, 12 Jan 2025 13:27:06 -0800
Subject: [PATCH] fix: allow oauth_state token to be cross-domain (#40)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

External OIDC providers won’t work with the current setup.
---
 internal/api/v1/auth/oidc.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/internal/api/v1/auth/oidc.go b/internal/api/v1/auth/oidc.go
index 0344036..ae86992 100644
--- a/internal/api/v1/auth/oidc.go
+++ b/internal/api/v1/auth/oidc.go
@@ -60,7 +60,8 @@ func OIDCLoginHandler(w http.ResponseWriter, r *http.Request) {
 		Value:    state,
 		MaxAge:   300,
 		HttpOnly: true,
-		SameSite: http.SameSiteStrictMode,
+		SameSite: http.SameSiteNoneMode,
+		Secure:   true,
 		Path:     "/",
 	})