Oidc cookie wrong

[smeretech]

Describe the Bug

Hello

I am also encountering the same problem issues to the previous ticket #1644.

I should point out that I have version 1.11 and the idc is Authentik.

When accessing the baseurl, the problem does not occur because the oidc cookie remains correctly valued with the baseurl domain and, in the callback passage from Authentik, it maintains the session and, above all, the oidc cookie.
The real problem is with the use of other third-level domains where there are resources that Pangolin has to manage.

1. When logging in to resource1.domain.it:
   Pangolin sets the status cookie:
   p_oidc_state=...; Domain=resource1.domain.it; SameSite=lax

2. The Callback:
   Authentik (correctly) redirects to Pangolin's baseURL: https://pangolin.domain.it/auth/.../callback

3. The cookie then disappears:
   The browser must go to pangolin.domain.it. It looks at the cookie it has saved and sees Domain=resource1.domain.it.
   The browser refuses to send that cookie for two reasons:

• Reason 1 (The Main Block): The domains do not match.
• Reason 2 (The Secondary Block): The redirection from Authentik is "cross-site," and the cookie is SameSite=lax. This also blocks it.

I created some http-response replace-value rules upstream of Pangolin (HAproxy) so that they intercept the p_oidc_state cookie (and only that one) and transform it from:
Domain=resource1.domain.it; SameSite=lax
to
Domain=.domain.it; SameSite=None; Secure

With the rules active and setting the cookie_domain to .domain.it in the config file:

1. I go to https://resource1.domain.it.
2. Pangolin starts the OIDC login. The p_oidc_state cookie is set for resource1.domain.it.
3. HAProxy intercepts the cookie and corrects it to Domain=.domain.it and SameSite=None.
4. I log in to Authentik and am redirected to the callback on pangolin.domain.it.
5. The browser sends the p_oidc_state cookie (because .domain.it is valid). The login is successful.
6. Pangolin creates the session cookie (p_session_token) but probably does so using pangolin.domain.it despite the variable.
7. Pangolin (due to the bug) still redirects to the pangolin.domain.it dashboard.

Now there is an infinite loop.

Environment

• OS Type & Version: docker
• Pangolin Version:1.11
• Gerbil Version: latest
• Traefik Version:
• Newt Version: latest
• Olm Version: (if applicable)

To Reproduce

1. When logging in to resource1.domain.it:
   Pangolin sets the status cookie:
   p_oidc_state=...; Domain=resource1.domain.it; SameSite=lax
2. The Callback:
   Authentik (correctly) redirects to Pangolin's baseURL: https://pangolin.dominio.it/auth/.../callback
3. The cookie then disappears due mismatch.

Expected Behavior

Generate a oidc cookie based to the first level of the domain (.domain.it) and solve the session cookie.