I'm having trouble with a website that uses OpenID Connect for authentication. It's been working fine for years, but recently it stopped functioning correctly on Safari and iOS browsers. Specifically, Safari doesn't seem to be sending certain authentication cookies back to the server, and I'm not sure why that's happening. The site works perfectly in both Firefox and Chrome. I've already tried setting the SameSite attribute to 'lax' and 'none', but that didn't help. Below are the request and response headers I captured. Can anyone provide insight into what might be going wrong?
2 Answers
It sounds like you might be trying to make a request to an HTTP endpoint (like your example: http://portal.mydomain.com/oidc/auth). The problem is that these endpoints can't set "secure" cookies. Make sure that your page is being served over HTTPS.
Issues with Safari and cookies often come down to SameSite policy, secure settings, and proper domain/path configurations. For cross-site requests, you’ll need SameSite=None and Secure, plus ensure that you’re including credentials in your requests. It's also worth checking if Intelligent Tracking Prevention (ITP) is blocking third-party cookies, especially if your auth is spanning subdomains or being used within iframes.
Considering everything is coming from portal.mydomain.com, I'm not sure if cross-site issues are relevant here, right? Also, since the authentication relies on redirections, I don’t think iframes are involved.