From e0e0d9c33cb761c73c043dd3c2f435dd618107bf Mon Sep 17 00:00:00 2001 From: BlackDex Date: Tue, 5 May 2026 08:50:11 +0200 Subject: [PATCH] Fix SSO Cookie path Signed-off-by: BlackDex --- src/api/identity.rs | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/api/identity.rs b/src/api/identity.rs index 569deaf9..9f64e560 100644 --- a/src/api/identity.rs +++ b/src/api/identity.rs @@ -1222,7 +1222,8 @@ async fn _oidcsignin_redirect( (Some(expected), Some(actual)) if crypto::ct_eq(expected, actual) => {} _ => err!(format!("SSO session binding mismatch for {state}")), } - cookies.remove(Cookie::build(SSO_BINDING_COOKIE).path("/identity/connect/").build()); + cookies + .remove(Cookie::build(SSO_BINDING_COOKIE).path(format!("{}/identity/connect/", CONFIG.domain_path())).build()); sso_auth.code_response = Some(code_response); sso_auth.updated_at = Utc::now().naive_utc(); @@ -1294,7 +1295,7 @@ async fn authorize(data: AuthorizeData, cookies: &CookieJar<'_>, secure: Secure, cookies.add( Cookie::build((SSO_BINDING_COOKIE, binding_token)) - .path("/identity/connect/") + .path(format!("{}/identity/connect/", CONFIG.domain_path())) .max_age(time::Duration::seconds(sso::SSO_AUTH_EXPIRATION.num_seconds())) .same_site(SameSite::Lax) // Lax is needed because the IdP runs on a different FQDN .http_only(true)