From b44bcbd2c26f83fdd63b4ca3a5a9c3f0ee921c4a Mon Sep 17 00:00:00 2001
From: Steven Masley <stevenmasley@coder.com>
Date: Wed, 16 Aug 2023 09:49:08 -0500
Subject: [PATCH] fix: change oauth convert oidc cookie to SameSite=Lax

The strict mode was blocking the cookie from being sent on the
redirect flow. This worked on localhost because cookies
behave differently on localhost
---
 coderd/userauth.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/coderd/userauth.go b/coderd/userauth.go
index a61b6d126d0e0..1ea28efede6bd 100644
--- a/coderd/userauth.go
+++ b/coderd/userauth.go
@@ -184,7 +184,9 @@ func (api *API) postConvertLoginType(rw http.ResponseWriter, r *http.Request) {
 		Expires:  claims.ExpiresAt.Time,
 		Secure:   api.SecureAuthCookie,
 		HttpOnly: true,
-		SameSite: http.SameSiteStrictMode,
+		// Must be SameSite to work on the redirected auth flow from the
+		// oauth provider.
+		SameSite: http.SameSiteLaxMode,
 	})
 	httpapi.Write(ctx, rw, http.StatusCreated, codersdk.OAuthConversionResponse{
 		StateString: stateString,