Cannot login in OIDC on localhost + WebkitΒ #19303
Description
Description
Hey Synapse team!
In October, the following change was done to Synapse:
Update
oidc_session_no_samesitecookie to beSecure
#19079
I'm running a test environment locally (and Playwright E2E tests in CI). Since this change, I cannot connect to Synapse via OIDC anymore. I'm getting this error:
There was an error
No session cookie found
If you are seeing this page after clicking a link sent to you via email, make sure you only click the confirmation link once, and that you open the validation link in the same client you're logging in from.
Try logging in again from your Matrix client and if the problem persists please contact the server's administrator
Error code
missing_session
The origin of the issue is that unlike the other browsers, Webkit treats "localhost" as non-secure regarding cookies. So when you add "Secure", Webkit stops storing cookies locally.
Steps to reproduce
- set up a local environment with Synapse connected a OIDC provider (everything running on localhost)
- try to connect
Homeserver
Dev homeserver at Synapse 1.144.0
Synapse Version
1.144.0
Installation Method
Docker (matrixdotorg/synapse)
Database
SQLite
Workers
Single process
Platform
Configuration
This happens in a development environment where there is no HTTPS.
Synapse domain name is "http://matrix.localhost", running in a docker-compose behind a reverse-proxy.
Relevant log output
-Anything else that would be useful to know?
I think the fact of being able to login in Synapse via OIDC is important in a development environment where no HTTPS is available. Do you think it is possible to remove the "Secure" part of the cookie if we detect a request comes from HTTP? (and keep it in HTTPS?)
A more restrictive version could check if the request comes from "localhost" or "*.localhost". Not sure if this is needed though.