diff --git a/internal/auth/oidc/client.go b/internal/auth/oidc/client.go index 1bf168c61..5f7f200c6 100644 --- a/internal/auth/oidc/client.go +++ b/internal/auth/oidc/client.go @@ -62,8 +62,15 @@ func NewClient(issuerUri *url.URL, oidcClient, oidcSecret, oidcScopes, siteUrl s return nil, err } - // Create cookie handler. - cookieHandler := utils.NewCookieHandler(hashKey, encryptKey, utils.WithUnsecure()) + // Create cookie handler. The short-lived state (CSRF defense) and PKCE + // code_verifier cookies keep the Secure attribute on HTTPS deployments; it is + // only dropped when running insecurely (HTTP issuer / relaxed TLS), gated by the + // same flag that already permits a non-HTTPS issuer. + var cookieOpts []utils.CookieHandlerOpt + if insecure { + cookieOpts = append(cookieOpts, utils.WithUnsecure()) + } + cookieHandler := utils.NewCookieHandler(hashKey, encryptKey, cookieOpts...) // Create HTTP client. httpClient := HttpClient(insecure)