[@hono/oidc-auth] Saving Secure cookies does not work on http in Safari

[StefanLobbenmeier]

Which middleware has the bug?

@hono/oidc-auth

What version of the middleware?

1.7.0

What version of Hono are you using?

4.9.8

What runtime/platform is your app running on? (with version if possible)

local wrangler

What steps can reproduce the bug?

Create a very simple application like the guide suggests:

const app = new Hono();

app.use('*', oidcAuthMiddleware())
app.get('/logout', async (c) => {
    await revokeSession(c)
    return c.text('You have been successfully logged out!')
})
app.get('/callback', async (c) => {
    return processOAuthCallback(c)
})
app.get('/me', async (c) => {
    const auth = await getAuth(c)
    return c.text(`Hello <${auth?.email}>!`)
})

Also add configuration to the .dev.vars:

OIDC_AUTH_SECRET=
OIDC_ISSUER=https://x.eu.auth0.com  
OIDC_CLIENT_ID=
OIDC_CLIENT_SECRET=
OIDC_AUDIENCE=

Try the same in safari and you just get

What is the expected behavior?

Visit any page in chrome, cookies are set correctly when being redirected to the login page:

What do you see instead?

Safari gives you no real request in network tab during the redirect, instead you get this about:blank

Finally hono-oidc gives an error after being redirected back to /callback that the cookies are missing:
OperationProcessingError: unexpected "state" response parameter encountered
at validateAuthResponse (file:///project/.wrangler/tmp/dev-YSmWwl/index.js:24648:15)
at processOAuthCallback (file:///project/.wrangler/tmp/dev-YSmWwl/index.js:24918:18)
at async dispatch (file:///project/.wrangler/tmp/dev-YSmWwl/index.js:973:17)
at async file:///project/.wrangler/tmp/dev-YSmWwl/index.js:1818:26
at async jsonError (file:///project/.wrangler/tmp/dev-YSmWwl/index.js:25089:12)
at async drainBody (file:///project/.wrangler/tmp/dev-YSmWwl/index.js:25062:12)

Additional information

Safari Version 26.0 (21622.1.22.11.14)
I am running on localhost:8787 during dev, so maybe its not going to be an issue in production?

Also additional question - why is that validation there in the first place - the client sends the state as a query parameter and as a cookie, why don't we trust what it sends in the query?

[StefanLobbenmeier]

Quick update - deployed to Cloudflare and works in production. Locally the workaround to use wrangler dev --local-protocol https also seems to work just fine. So would be nice to document this workaround.

[StefanLobbenmeier]

Found it:

Its because @hono/oidc-auth is setting those cookies as Secure, and Safari does not consider localhost Secure for cookies, I found other people having this same issue:

• [MacOS / Linux] WebKit doesn’t set Secure cookies on localhost tauri-apps/tauri#2604 (comment)
• https://bugs.webkit.org/show_bug.cgi?id=232088
• https://bugs.webkit.org/show_bug.cgi?id=218980

[yusukebe]

Hi @StefanLobbenmeier

So, can we treat this issue as not a bug for @hono/oidc-auth and not need to fix?

[StefanLobbenmeier]

It’s not a bug, but ideally document in the readme that oidc-auth is using secure cookies that might not work on http://localhost / put a recommendation to use --local-protocol https

[yusukebe]

@StefanLobbenmeier

I see!

Hi @hnw, can you add the document about this to the README?