[openstreetmap/openstreetmap-website] Support Sign in with Apple (#2799)
Tom Hughes
notifications at github.com
Tue Aug 5 20:04:44 UTC 2025
tomhughes left a comment (openstreetmap/openstreetmap-website#2799)
So I now have the necessary keys to test things out locally and there's a bit of a hickup... Apple insist on using `response_mode=form_post` in the OAuth 2 exchange if you want to ask for the `name` or `email` scopes but that means the callback comes as a cross domain POST request which means we don't get our session cookie because it is marked `SameSite=lax` and that means we can't validate the OAuth state as that is in the session.
I can make it work by doing one of two things:
* Drop the `name` and `email` scopes from our request, and use `response_mode=query`
* Switch our session cookie to `SameSite=none` which reduces our cookie security
I assume think `response_mode=form_post` is more secure for some reason but it's not clear why as the actual name/email data is not passed in that request and the end result is that we have to reduce our cookie security 😢
--
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/2799#issuecomment-3156472926
You are receiving this because you are subscribed to this thread.
Message ID: <openstreetmap/openstreetmap-website/issues/2799/3156472926 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20250805/19a05e6e/attachment-0001.htm>
More information about the rails-dev
mailing list