I have an app that has been running for years with no changes to the code. The app has OAuth2.0 login with a variety of providers including Google Workspace and Office 365. Since the launch of Chrome V97 (i.e. in last few days), the O365 login has stopped working, as for some reason, the auth cookie does not get set in the OAuth callback GET handler. The code that sets the cookie is the same code that is run for Google Workspace, yet this works. It also works on Firefox. Something about Google Chrome V97 is preventing cookies from being set, but only if it round trips to O365 first.
To isolate the issue, I have created a fake callback which manually sets a cookie, thereby removing all of the auth complication. If I call this by visiting the URL in a browser, then the cookie sets as expected. Yet if I perform the O365 OAuth dance first, which in turn invokes this URL, then the cookie does not get set. Try exactly the same thing with Google Workspace and it works.
I have been debugging this for hours and hours and clean out of ideas.
Can anyone shed any light on what could be causing this odd behaviour?
We ran into this too, fixed by adding SameSite=none; to the auth cookie. In Chrome 97 SameSite is set to Lax if missing. See more here https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite