-
Notifications
You must be signed in to change notification settings - Fork 190
Open
Description
Issue summary
The samesite parameter is being ommited from setcookie function in OAuth2 process: https://github.com/Shopify/shopify-api-php/blob/main/src/Auth/OAuth.php#L351, causing the default Lax mode to be selected.
This causes "Perform Token Exchange" step in https://shopify.dev/docs/apps/build/authentication-authorization/session-tokens#request-flow-using-a-session-token to fail when embedded page is loaded through an iframe (for example from Shopify admin panel), because the cookies will not be saved.
Expected behavior
The cookies should be set and OAuth should succeed in Shopify admin panel.
Actual behavior
The cookies are not set and OAuth fails in Shopify admin panel.
Steps to reproduce the problem
- Implement minimal application implementing Shopify's OAuth2 authentication (online mode = true), using this library, with default cookie setter.
- Install application into any Shopify store.
- Delete the initial customer's session. (Simulating different admin user or expired session).
- Try to perform "Token Exchange" from Shopify admin panel.
Reduced test case
Checklist
- I have described this issue in a way that is actionable (if possible)
- I have created a merge request fixing this issue.
Metadata
Metadata
Assignees
Labels
No labels