disable same-site for external cookie #2595

src/Configuration/DependencyInjection/ConfigureInternalCookieOptions.cs

@@ -39,6 +39,12 @@ public void Configure(string name, CookieAuthenticationOptions options)
             if (name == IdentityServerConstants.ExternalCookieAuthenticationScheme)
             {
                 options.Cookie.Name = IdentityServerConstants.ExternalCookieAuthenticationScheme;
+                // https://github.com/IdentityServer/IdentityServer4/issues/2595
+                // need to set None because iOS 12 safari considers the POST back to the client from the 
+                // IdP as not safe, so cookies issued from response (with lax) then should not be honored.
+                // so we need to make those cookies issued without same-site, thus the browser will
+                // hold onto them and send on the next redirect to the callback page.
+                options.Cookie.SameSite = SameSiteMode.None;
             }
         }
 

src/Infrastructure/MessageCookie.cs

@@ -91,6 +91,8 @@ public void Write(string id, Message<TModel> message)
                     HttpOnly = true,
                     Secure = Secure,
                     Path = CookiePath
+                    // don't need to set same-site since cookie is expected to be sent
+                    // to only another page in this host. 
                 });
         }