fix: change oauth convert oidc cookie to SameSite=Lax (#9129)

Emyrk · web-flow · commit 74999305b604 · 2023-08-16T12:50:44.000-05:00
The strict mode was blocking the cookie from being sent on the
redirect flow. This worked on localhost because cookies
behave differently on localhost
diff --git a/coderd/userauth.go b/coderd/userauth.go
@@ -184,7 +184,9 @@ func (api *API) postConvertLoginType(rw http.ResponseWriter, r *http.Request) {
 		Expires:  claims.ExpiresAt.Time,
 		Secure:   api.SecureAuthCookie,
 		HttpOnly: true,
-		SameSite: http.SameSiteStrictMode,
+		// Must be SameSite to work on the redirected auth flow from the
+		// oauth provider.
+		SameSite: http.SameSiteLaxMode,
 	})
 	httpapi.Write(ctx, rw, http.StatusCreated, codersdk.OAuthConversionResponse{
 		StateString: stateString,
