Configurable Cookie Scope for OIDC Interactions

[florianamette]

In my implementation, I serve the OIDC interaction UI from /interaction/[uid] and handle API calls at /api/interaction/[uid]/(login|consent|abort). The provider currently sets cookie paths automatically based on the interaction URL in the config. It would be great to have control over the cookie scope path, to better match different application routing structures.

[panva]

You have complete control over this already.

[florianamette]

Thanks a lot. I missed it in the doc.

It works for the interaction cookie but not for the resume one.

/lib/actions/authorization/interactions.js

  ctx.cookies.set(
    oidc.provider.cookieName('interaction'),
    uid,
    {
      path: new URL(destination, ctx.oidc.issuer).pathname,
      ...cookieOptions,
      maxAge: ttl * 1000,
    },
  );

  ctx.cookies.set(
    oidc.provider.cookieName('resume'),
    uid,
    {
      ...cookieOptions,
      path: new URL(returnTo).pathname,
      domain: undefined,
      httpOnly: true,
      maxAge: ttl * 1000,
    },
  );

It seems to be related to where the path is set, which overrides this cookie option for the resume cookie, if I’m not mistaken.

[florianamette]

Never mind. No need to have control over this one. I will close the discussion. Thanks for your help and the amazing work!