Google Oauth redirect sets cookies, but cookies disappear ... sometimes

[shekharmayank]

A project that I've been working on uses GoogleProvider for authentication. In my local environment, auth works perfectly. These are the cookies and their attributes in localhost after successful login:

But in the production environment (HTTPS being used, backend at domain.com/api, and frontend at domain.com), sometimes the authentication works and sometimes it doesn't. When I dug deeper I found out that the OAuth cookie that is set before redirection to the Google consent screen sometimes disappears when a Google callback occurs so the cookie state is null and hence I'm getting an invalid state error in the backend on calling getUserInfo method of AbstractProvider, like this:

But sometimes the cookie is not disappearing and in that case, no invalid state error comes and login is successful, this is the status:

Here's the status of cookies that are there on successful redirection in production:

What might be the issue? Is it because oauth2-state cookie SameSite attribute is nothing?

[shekharmayank]

Update: So I tried two things, I forked the AbstractProvider and just implemented redirect method with SameSite set to Lax and domain set to .domain.com to include sub domains. I don't know which of these two did the trick but it worked.

[LoicPoullain]

In this situation, where it only happens only in production with the domains your provided, my guess would be that there is something wrong either with the cookie domain or the cookie path, which seemed the cookie domain in your case. I don't think the SameSite attribute has changed something because most browsers (Chrome, Firefox) use Lax as default value.

[LoicPoullain]

The AbstractProvider does indeed lack an option to specify the domain name of the cookie.

[LoicPoullain]

The PR has been merged. The domain option will be released with v3.1