Cannot login in OIDC on localhost + Webkit

[moufmouf]

Description

Hey Synapse team!

In October, the following change was done to Synapse:

Update oidc_session_no_samesite cookie to be Secure
#19079

I'm running a test environment locally (and Playwright E2E tests in CI). Since this change, I cannot connect to Synapse via OIDC anymore. I'm getting this error:

The origin of the issue is that unlike the other browsers, Webkit treats "localhost" as non-secure regarding cookies. So when you add "Secure", Webkit stops storing cookies locally.

See tauri-apps/tauri#2604

Steps to reproduce

• set up a local environment with Synapse connected a OIDC provider (everything running on localhost)
• try to connect

Homeserver

Dev homeserver at Synapse 1.144.0

Synapse Version

1.144.0

Installation Method

Docker (matrixdotorg/synapse)

Database

SQLite

Workers

Single process

Platform

Configuration

This happens in a development environment where there is no HTTPS.
Synapse domain name is "http://matrix.localhost", running in a docker-compose behind a reverse-proxy.

Relevant log output

-

Anything else that would be useful to know?

I think the fact of being able to login in Synapse via OIDC is important in a development environment where no HTTPS is available. Do you think it is possible to remove the "Secure" part of the cookie if we detect a request comes from HTTP? (and keep it in HTTPS?)

A more restrictive version could check if the request comes from "localhost" or "*.localhost". Not sure if this is needed though.

[thestinger]

It's straightforward to use HTTPS for local development via mkcert, which is available in the official repositories for at least Arch and Debian along with Homebrew/MacPorts for macOS:

https://github.com/FiloSottile/mkcert/blob/master/README.md

I think this is the approach which should be used to avoid needing special cases for development along with testing more closely to how it will be used.