I am using https://github.com/basecamp/google_sign_in to add google auth to my large rails app.
The auth flow in the gem is:
The problem is that flash and session are both empty in the callback controller.
What would cause rails to empty out flash and the session on the returning call from google?
This was caused by the same site policy being set to strict. Setting it to lax allows GET redirects to provide flash and other cookies.
The strict setting was the default in rails but was changed to lax because GET redirect are essentially broken with the strict policy.
Example:
Cookies won't be set on redirect from other domains:
Rails.application.config.session_store :cookie_store, key: 'your-session', same_site: :strict
Cookies will be set on GET redirects:
Rails.application.config.session_store :cookie_store, key: 'your-session', same_site: :lax