Google Login breaks when SESSION_COOKIE_SAMESITE is set to Strict

[100cube]

Hi,

I have setup Google and Facebook social sign-in using all-auth using templates (i.e. not DRF, etc). Google login stopped working at some point. After a lot of digging, I have found that when ever I have the following setting

# in settings
SESSION_COOKIE_SAMESITE = 'Strict'

It fails most of the time, on production, with this setting on. The only account I have had success with is a Google Workspace account (non-gmail).

However, taking a hint from #2982, as soon as I remove that setting (it defaults to Lax) everything seems to work fine.

Facebook provider works fine with or without that setting, which leads to the question: is it possible to get the google provider to work similarly to the way the facebook provider works? It would be great for some sites to have SESSION_COOKIE_SAMESITE set to Strict

Many thanks

[derek-adair]

Could you provide logs please? always a good idea to provide a snapshot of what happened and any relevant configuration. This would include allauth version, python version, etc.

[andresmrm]

I can confirm this error, but for me it happens every time when using SESSION_COOKIE_SAMESITE = 'Strict'.

Python 3.11.6
django-allauth 0.58.2 (also tested with 0.56.1)
Firefox 116 and Chromium 119

The error is raised here:
https://github.com/pennersr/django-allauth/blob/main/allauth/socialaccount/providers/oauth2/client.py#L93
Some relevant values there:

pkce_code_verifier == None
resp.json() == {'error': 'invalid_grant', 'error_description': 'Missing code verifier.'}

Related configs:

SOCIALACCOUNT_PROVIDERS = {
    'google': {
        'SCOPE': [
            'profile',
            'email',
        ],
        'AUTH_PARAMS': {
            'access_type': 'online',
        },
        'OAUTH_PKCE_ENABLED': True,
        'APP': {
            'client_id': '***',
            'secret': '***',
        },
    }
}

Not sure if related, but I've found this: simov/grant#199

Since pkce_code_verifier seems to come from the cookie ( https://github.com/pennersr/django-allauth/blob/main/allauth/socialaccount/providers/oauth2/views.py#L69 ), using Strict won't allow to access it when coming back from Google. Is there another way to store and access it?

I don't understand the details of the problem (if there is a solution or not), but I also would like to keep my session cookie as Strict.

[acuD1]

Hi,

I encounter the same issue. Microsoft Graph is impacted as well.

settings.py:

# Cookie and Session
CSRF_COOKIE_SAMESITE = 'Strict'
CSRF_COOKIE_HTTPONLY = False
SESSION_COOKIE_SAMESITE = 'Strict'
SESSION_COOKIE_HTTPONLY = True

if IS_PROD_OR_PREPROD:
    CSRF_COOKIE_SECURE = True
    SESSION_COOKIE_SECURE = True

[pennersr]

Related: https://stackoverflow.com/questions/42216700/how-can-i-redirect-after-oauth2-with-samesite-strict-and-still-get-my-cookies

[pennersr]

Fixed via 40831dc