If Agate is configured to use SSO, logging as a mica user to Agate does not automatically log the same user in Mica, root Ccuse is SameSite=Lax on a Cross-Site Cookie.
When Mica opens in a new tab and its frontend (JavaScript or server-side) makes an API call back to Agate to validate the token (e.g. GET /ws/ticket/{token}/_validate), that request originates from mica-demo.obiba.org targeting agate-demo.obiba.org. Even though they share the same parent domain, browsers treat these as cross-site because the request host differs from the cookie host -- SameSite=Lax blocks non-top-level-navigation cross-site requests.
The fix is to check if a SSO domain is configured and if so, add .sameSite(NewCookie.SameSite.NONE) alongside the existing .domain(...) call. This way SameSite=None is only applied in deployments where cross-subdomain SSO is actually needed.
Files to change:
- agate-rest/src/main/java/org/obiba/agate/web/rest/ticket/TicketsResource.java (line 128)
- agate-rest/src/main/java/org/obiba/agate/web/rest/ticket/TicketResource.java (lines 213 and 230)
- agate-webapp/src/main/java/org/obiba/agate/web/filter/auth/oidc/AgateCallbackFilter.java (line 250)
- agate-rest/src/main/java/org/obiba/agate/web/rest/security/CurrentSessionResource.java (line 70)
If Agate is configured to use SSO, logging as a mica user to Agate does not automatically log the same user in Mica, root Ccuse is
SameSite=Laxon aCross-Site Cookie.When Mica opens in a new tab and its frontend (JavaScript or server-side) makes an API call back to Agate to validate the token (e.g. GET /ws/ticket/{token}/_validate), that request originates from
mica-demo.obiba.orgtargetingagate-demo.obiba.org. Even though they share the same parent domain, browsers treat these as cross-site because the request host differs from the cookie host --SameSite=Laxblocks non-top-level-navigation cross-site requests.The fix is to check if a SSO domain is configured and if so, add .sameSite(NewCookie.SameSite.NONE) alongside the existing .domain(...) call. This way
SameSite=Noneis only applied in deployments where cross-subdomain SSO is actually needed.Files to change: