From 0a20e384e1f8ff0611e6a198a16390c02d008bf1 Mon Sep 17 00:00:00 2001
From: Jakub Jirutka <jakub@jirutka.cz>
Date: Thu, 7 Mar 2024 16:21:48 +0100
Subject: [PATCH] Change SameSite=strict to SameSite=lax in default
 $oidc_cookie_attrs

When you click on a link in MS Teams, it opens https://statics.teams.cdn.office.net/evergreen-assets/safelinks/1/atp-safelinks.html
in the browser which sends the URL and some metadata to Microsoft and if
it decides that the URL is okay (and logs it because they want to spy on
you...), it calls `window.location.replace()` to finally redirect you to
the site you wanted to go to. The nginx module sends you a redirect to
the authorization endpoint, OIDC redirects you to the callback endpoint
with the authorization code which is handled by the module. It exchanges
the authorization code for the id token, then sends you Set-Cookie with
the session id and redirects you to the original target. And now comes
the problem. Browser ignores Set-Cookie due to the SameSite policy, so
the browser doesn't send the session cookie back to the nginx module.
So, you're still not authenticated, thus the module redirects you to the
authorization endpoint... and this repeats again and again, until the
browser detects the loop and stops it.
---
 README.adoc   | 2 +-
 src/config.ts | 6 ++++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/README.adoc b/README.adoc
index 5fcf1e8..1448ffb 100644
--- a/README.adoc
+++ b/README.adoc
@@ -292,7 +292,7 @@ $oidc_cookie_attrs::
 https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#attributes[Set-Cookie attributes] to be added to the session cookies.
 Some attributes are overridden for certain cookies (_Max-Age_ and _Path_).
 +
-Default is `Max-Age=2592000; Path=/; Secure; SameSite=strict`.
+Default is `Max-Age=2592000; Path=/; Secure; SameSite=lax`.footnote:[`SameSite=strict doesn’t work with e.g. Microsoft ATP (that crap used when opening links from MS Teams) – `Set-Cookie` is not propagated.]
 
 $oidc_error_pages_dir::
 Path to the directory with error page templates.
diff --git a/src/config.ts b/src/config.ts
index 549d60a..48f2d45 100644
--- a/src/config.ts
+++ b/src/config.ts
@@ -18,12 +18,14 @@ const configDescriptor = {
   postLogoutRedirectUri: '',
   internalLocationsPrefix: '/-/internal',
   cookieAttrs: {
-    // max-age=2592000; path=/; secure; samesite=strict
+    // max-age=2592000; path=/; secure; samesite=lax
+    // NOTE: samesite=strict doesn't work with e.g. Microsoft ATP (that crap
+    //  used when opening links from MS Teams).
     default: {
       maxAge: 2592000,  // 30 days
       path: '/',
       secure: true,
-      sameSite: 'strict',
+      sameSite: 'lax',
     } as SetCookieAttrs,
     parser: parseCookieAttrs,
   },