In Quarkus OIDC, seems q_session
can set SameSite=None
for authentication but seems it does not effect to remove cookie.
static void removeCookie(RoutingContext context, ServerCookie cookie, OidcTenantConfig oidcConfig) {
if (cookie != null) {
cookie.setValue("");
cookie.setMaxAge(0);
Authentication auth = oidcConfig.getAuthentication();
setCookiePath(context, auth, cookie);
if (auth.cookieDomain.isPresent()) {
cookie.setDomain(auth.cookieDomain.get());
}
}
}
My OIDC IDP supports SLO using iframe, but iframe does not set cookie if set cookie with other than SameSite=None
, then session cookie will remain.
Is any way to set SameSite=None
when remove cookie in Quarkus OIDC?
Quarkus version: 3.2.0.Final
As simple solution, can set sameSite after manually logout like below: