Redirect request from external origin doesn't apply the base domain cookies

[jraoult]

Current behavior

It seems like Cypress is unable to re apply cookies set for the base domain after redirect from an different origin.

I found that while testing a typical OAuth authorization code flow. It requires at some point for the server to store a challenge (aka code) in session to then use it to verify the params when the identity provider calls back the server. In my case, the session is a encrypted cookie and while it works while manually testing I can not get this test to pass with Cypress.

Desired behavior

When the external domain wrapped in cy.origin redirects to the base domain, the request should contain the cookies for the base domain.

Test code to reproduce

it.only("can sign in with SSO", () => {
  cy.visit("/login?sso");

  const username = () => $t("username-input");
  const submit = () => $t("sign-in-button");

  username().find("input").type("{selectall}me@example.com");

  // this triggers a session creation (set-cookie) and redirects to onelogin.com
  submit().click();

  cy.origin("xxx.onelogin.com", () => {
    cy.get("#password").type("xxx{enter}");
    // Now onelogin.com redirects to my domain /auth/callback but somehow the
    // session cookie is not in the headers. This results in the failure of
    // the callback parameters check.
  });

  // This fails because the server redirected to the login page instead to
  // restart the process.
  cy.url().should("contain", "/home");
});

Cypress Version

13.12.0

Node version

22

Operating System

macOS 14.5

Debug Logs

No response

Other

No response

[Tomino2112]

I can confirm we are seeing the same issue. Redirect to base domain that happens within different origin does not have the cookies set for base domain (completely missing cookie header).
I have tried all sorts of workarounds including intercepting the request and manually injecting the cookie header but none of that worked.
Strangely, Cypress seem to ignore anything I have done in the intercept including simple logs, but in the UI would display that the request did match intercept.

Considering the above, it would be something like

cy.intercept('/auth/callback*', (req) => {
  req.headers['cookie'] = 'x-test=hello;'
}).as('authCb');

cy.wait('@authCb').its('request.headers').should('have.property', 'cookie', 'x-test=hello;');

I should also mention that subsequent requests to the base domain (eg loading JS chunks) have the cookie header set correctly

[Tomino2112]

And of course, a minute after posting the above I have found a "solution".
It would seem that the cookie must be set to have no restriction on SameSite and Secure to be true.

cy.setCookie('test', 'hello', {
      domain: cookieDomain,
      path: '/',
      sameSite: 'no_restriction',
      secure: true,
    });

This worked for us, obviously OP is probably not setting the cookie manually so might not work the same

[AtofStryker]

A full reproduction would be very useful here so we can run the test on our end. Right now the links in the description are relative. Is anyone willing to try out the Cypress 14 prerelease binary? If the navigations are subdomain navigations, this could fix the problem. See #25806 (comment) for binary details

[cypress-app-bot]

This issue has not had any activity in 180 days. Cypress evolves quickly and the reported behavior should be tested on the latest version of Cypress to verify the behavior is still occurring. It will be closed in 14 days if no updates are provided.