Google login fails on recent versions of Safari related to Session SameSite attribute

[jnis77diver]

Our site is using:

• Django v. 2.2.20
• django-allauth v. 0.38

Recently we have had multiple users unable to login using Google login from Safari on Mac and iOS. I was able to confirm the issue myself on the following:

• MacOS Safari 13.1.2
• iOS v 14.4.2 (Safari version would also therefore be 14.4.2)

However, I can successfully login using an old iPad on Safari

• iPad v. 9.3.5 (Safari version would also therefore be 9.3.5)

I believe the issue relates to how recent versions of Safari are treating SameSite attribute on the sessionid cookie.
On our production environment, we are currently using the 'Lax' default value set by Django and the cookie is not set to be Secure, i.e. we are not restricting it to be sent only over https (BTW, we plan to change this to make it Secure).

I've tried the following on our staging environment with the more recent versions of Safari above (where SUCCESS means that with the change, I can login with Google login):

• SUCCESS: remove sessionid cookie SameSite attribute by setting SESSION_COOKIE_SAMESITE = None (b/c Django v. 2.2.20 doesn't have an option for the string 'None')
• FAIL: keep sessionid cookie SameSite attribute = 'Lax' (the default) and set Secure flag to true, SESSION_COOKIE_SECURE = True (just to make sure the issue wasn't related to the Secure flag)

At the moment I can't see any way to handle this beyond a patchwork of checking the UserAgent and setting the SameSite attribute to 'None' (either by upgrading Django or using middleware) for Safari and leaving it 'Lax' for everything else. I'm surprised to not see anyone else using this package dealing with this issue.

We are welcome to all feedback on how to address this. If upgrading to a more recent Django and allauth would address the issue that would be good to know.

[pennersr]

https://django-allauth.readthedocs.io/en/latest/faq.html#why-did-you-just-close-my-issue