I try to get the JSESSIONID cookie added to my request after a redirect from a third-party server.
When the user first accesses the App, it returns the JSESSIONID with attribute SameSite=Lax. Then the user authenticates to the Keycloak server, which redirects the user to the App after authentication succeeded.
The problem is that it works with Chromium - that is the JSESSIONID cookie is passed to the App in the redirected request - but it fails with Firefox with the following message in the console : Cookie “JSESSIONID” with the “SameSite” attribute value “Lax” or “Strict” was omitted because of a cross-site redirect.
I guess Firefox assumes it's a cross site requests because, though Lax was used and the request is Safe, it is not a Top Level Navigation. But it's weird that Chromium does not treat it as a cross-site request as well.
When I put the App and Keycloak servers in the same domain then it works as it is no longer a cross-site request, but we have other similar use cases with servers we don't have control over their domain, for example online payment server.
Do you know if there is a solution to get this work with all browsers, beside using SameSite=None.
Thanks,