tomhughes left a comment (openstreetmap/openstreetmap-website#2799)
So I now have the necessary keys to test things out locally and there's a bit
of a hickup... Apple insist on using `response_mode=form_post` in the OAuth 2
exchange if you want to ask for the `name` or `email` scopes but that means the
callback comes as a cross domain POST request which means we don't get our
session cookie because it is marked `SameSite=lax` and that means we can't
validate the OAuth state as that is in the session.
I can make it work by doing one of two things:
* Drop the `name` and `email` scopes from our request, and use
`response_mode=query`
* Switch our session cookie to `SameSite=none` which reduces our cookie security
I assume think `response_mode=form_post` is more secure for some reason but
it's not clear why as the actual name/email data is not passed in that request
and the end result is that we have to reduce our cookie security 😢
--
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/2799#issuecomment-3156472926
You are receiving this because you are subscribed to this thread.
Message ID:
<openstreetmap/openstreetmap-website/issues/2799/[email protected]>
_______________________________________________
rails-dev mailing list
[email protected]
https://lists.openstreetmap.org/listinfo/rails-dev
