Skip to content

Default cookie setter in OAuth is not setting samesite = None #352

@Kudze

Description

@Kudze

Issue summary

The samesite parameter is being ommited from setcookie function in OAuth2 process: https://github.com/Shopify/shopify-api-php/blob/main/src/Auth/OAuth.php#L351, causing the default Lax mode to be selected.

This causes "Perform Token Exchange" step in https://shopify.dev/docs/apps/build/authentication-authorization/session-tokens#request-flow-using-a-session-token to fail when embedded page is loaded through an iframe (for example from Shopify admin panel), because the cookies will not be saved.

Expected behavior

The cookies should be set and OAuth should succeed in Shopify admin panel.

Actual behavior

The cookies are not set and OAuth fails in Shopify admin panel.

image

Steps to reproduce the problem

  1. Implement minimal application implementing Shopify's OAuth2 authentication (online mode = true), using this library, with default cookie setter.
  2. Install application into any Shopify store.
  3. Delete the initial customer's session. (Simulating different admin user or expired session).
  4. Try to perform "Token Exchange" from Shopify admin panel.

Reduced test case


Checklist

  • I have described this issue in a way that is actionable (if possible)
  • I have created a merge request fixing this issue.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions