Github Provider not working on Safari

[bcomnes]

I'm trying to characterize a strange bug I'm running into only on safari 15.

I have next-auth ^4.0.2 with custom login pages in my next app. Everything works great on chrome and firefox.

When try try to log in with the GitHub provider, I get the following error:

GET /api/auth/callback/github?code=xxx&state=xxx - - ms - -
[next-auth][error][OAUTH_CALLBACK_ERROR] 
https://next-auth.js.org/errors#oauth_callback_error checks.state argument is missing {
  error: {
    message: 'checks.state argument is missing',
    stack: 'TypeError: checks.state argument is missing\n' +
      '    at Client.oauthCallback (/Users/bret/socket/depscan/node_modules/openid-client/lib/client.js:506:13)\n' +
      '    at oAuthCallback (/Users/bret/socket/depscan/node_modules/next-auth/core/lib/oauth/callback.js:114:29)\n' +
      '    at processTicksAndRejections (node:internal/process/task_queues:96:5)\n' +
      '    at async Object.callback (/Users/bret/socket/depscan/node_modules/next-auth/core/routes/callback.js:50:11)\n' +
      '    at async NextAuthHandler (/Users/bret/socket/depscan/node_modules/next-auth/core/index.js:133:28)\n' +
      '    at async NextAuthNextHandler (/Users/bret/socket/depscan/node_modules/next-auth/next/index.js:20:19)\n' +
      '    at async /Users/bret/socket/depscan/node_modules/next-auth/next/index.js:56:32\n' +
      '    at Object.apiResolver (/Users/bret/socket/depscan/node_modules/next/server/api-utils.ts:107:5)\n' +
      '    at DevServer.handleApiRequest (/Users/bret/socket/depscan/node_modules/next/server/next-server.ts:1480:5)\n' +
      '    at Object.fn (/Users/bret/socket/depscan/node_modules/next/server/next-server.ts:1329:27)',
    name: 'TypeError'
  },
  providerId: 'github',
  message: 'checks.state argument is missing'
}

When I debug these different code paths, it comes down to what appears to be the req.cookies object being unavailable when GitHub redirects back to my app, but only in safari. The state cookie is set to same-site lax, which seems to work fine in chrome and firefox, but not in safari. When safari is redirected back, it refuses to share any of the lax cookies strangely. If I force the cookies to be same site none GitHub login works in safari.

So... anyone know why safari is refusing to share cookies with next-auth when it redirects back from Github?

[bcomnes]

Ok, when the live demo was working earlier this morning, I tried on safari 15 with the GitHub oauth provider and ran into the same issue. I went through the login dance, but when redirected back, I was not logged in. I can't see the logs to confirm, but it is almost certainly the same issue. Github auth worked fine in the demo in brave.

So... it looks like the cookies necessary to complete the oauth flow are not available for some reason in safari 15. It almost seems like safari is treating the same-site lax setting incorrectly or something.

[bcomnes]

Could it be this safari bug possibly?

Bug 219650 - Cookies set with SameSite=Lax are not sent during redirects in Safari

[bcomnes]

Ok, looks like GitHub auth is working again in the live demo, so there is a way out of this.

[bcomnes]

Ok, so not quite that, but very similar. We have a service worker installed (and working fine in firefox and chrome) and disabling that fixes the issue.... still trying to characterize what's going on here.