middleware icon indicating copy to clipboard operation
middleware copied to clipboard
verified publisher icon honojs

[@hono/oidc-auth] Saving Secure cookies does not work on http in Safari

Open StefanLobbenmeier opened this issue 3 months ago • 5 comments

Which middleware has the bug?

@hono/oidc-auth

What version of the middleware?

1.7.0

What version of Hono are you using?

4.9.8

What runtime/platform is your app running on? (with version if possible)

local wrangler

What steps can reproduce the bug?

Create a very simple application like the guide suggests:

const app = new Hono();

app.use('*', oidcAuthMiddleware())
app.get('/logout', async (c) => {
    await revokeSession(c)
    return c.text('You have been successfully logged out!')
})
app.get('/callback', async (c) => {
    return processOAuthCallback(c)
})
app.get('/me', async (c) => {
    const auth = await getAuth(c)
    return c.text(`Hello <${auth?.email}>!`)
})

Also add configuration to the .dev.vars:

OIDC_AUTH_SECRET=
OIDC_ISSUER=https://x.eu.auth0.com  
OIDC_CLIENT_ID=
OIDC_CLIENT_SECRET=
OIDC_AUDIENCE=

Try the same in safari and you just get

What is the expected behavior?

Visit any page in chrome, cookies are set correctly when being redirected to the login page:

Image

What do you see instead?

Safari gives you no real request in network tab during the redirect, instead you get this about:blank

Image

Finally hono-oidc gives an error after being redirected back to /callback that the cookies are missing: OperationProcessingError: unexpected "state" response parameter encountered at validateAuthResponse (file:///project/.wrangler/tmp/dev-YSmWwl/index.js:24648:15) at processOAuthCallback (file:///project/.wrangler/tmp/dev-YSmWwl/index.js:24918:18) at async dispatch (file:///project/.wrangler/tmp/dev-YSmWwl/index.js:973:17) at async file:///project/.wrangler/tmp/dev-YSmWwl/index.js:1818:26 at async jsonError (file:///project/.wrangler/tmp/dev-YSmWwl/index.js:25089:12) at async drainBody (file:///project/.wrangler/tmp/dev-YSmWwl/index.js:25062:12)

Additional information

Safari Version 26.0 (21622.1.22.11.14) I am running on localhost:8787 during dev, so maybe its not going to be an issue in production?

Also additional question - why is that validation there in the first place - the client sends the state as a query parameter and as a cookie, why don't we trust what it sends in the query?

StefanLobbenmeier avatar Sep 20 '25 23:09 StefanLobbenmeier

Quick update - deployed to Cloudflare and works in production. Locally the workaround to use wrangler dev --local-protocol https also seems to work just fine. So would be nice to document this workaround.

StefanLobbenmeier avatar Sep 20 '25 23:09 StefanLobbenmeier

Found it:

Its because @hono/oidc-auth is setting those cookies as Secure, and Safari does not consider localhost Secure for cookies, I found other people having this same issue:

  • https://github.com/tauri-apps/tauri/issues/2604#issuecomment-1236200730
  • https://bugs.webkit.org/show_bug.cgi?id=232088
  • https://bugs.webkit.org/show_bug.cgi?id=218980

StefanLobbenmeier avatar Sep 20 '25 23:09 StefanLobbenmeier

Hi @StefanLobbenmeier

So, can we treat this issue as not a bug for @hono/oidc-auth and not need to fix?

yusukebe avatar Sep 25 '25 01:09 yusukebe

It’s not a bug, but ideally document in the readme that oidc-auth is using secure cookies that might not work on http://localhost / put a recommendation to use --local-protocol https

StefanLobbenmeier avatar Sep 25 '25 08:09 StefanLobbenmeier

@StefanLobbenmeier

I see!

Hi @hnw, can you add the document about this to the README?

yusukebe avatar Oct 03 '25 01:10 yusukebe