Help Fixing Strapi OAuth (possible cookie loss)

Hi All,

I am running into an issue with the Strapi OAuth workflow. (I’d link to it, but community limits denied me).

The part that fails on Render but does not fail on my local dev environment is the 4th step:

  1. Once done, provider redirects the tab to the backend URL: https://strapi.website.com/api/connect/provider/callback?code=abcdef

This call is made successfully, but afterwards I receive an error:
error=Grant: missing session or misconfigured provider

This comment here:

And a comment made here:

thanks @soupette! After the it redirected with a query of access_token, I made a request to connect/google/callback${query} per the example. It came back with an error “error=Grant: missing session or misconfigured provider”. I looked it up with grantjs, it seems either the cookie wasn’t set. Can please you run a quick check on your example to see if version alpha10.2 still working correctly?

Leads me to believe that the proxy in front of my Strapi is not properly passing the oauth cookie back, and that is causing the error.

The user on the Strapi forum was able to configure their proxy to pass the cookie successfully, but does Render allow me to do something similar? If not, I may not be able to deploy this application with Render as OAuth would be broken, and that is a core feature that I require.

Has anyone else run into this issue while trying to deploy Strapi with OAuth on Render?

I believe I have figured this one out.

I am using a custom domain for this application, but the example Strapi app had me using the RENDER_EXTERNAL_URL variable to start the Strapi application.

This was causing confusion on the oauth side as to which origin (the custom domain or the Render domain) should get the cookie.

By default, cookie policy in strapi is set to null, which I believe means that cookies are strictly handled.

The solution then was simple: the URL given to the server.js Strapi config must match the custom URL and NOT the Render URL. Doing that appears to fix OAuth.