SameSite cookie problem in code flow

I’m having trouble with the new chrome SameSite cookie issues in a weird place and I’m not sure where to make the change to get it to work reliably. This is a bit of a weird configuration I’ve inherited.

I’m using and ADFS server which during authentication is eventually making a POST to my $DOMAIN/login/callback. When it’s working, this callback gives me my code which I later exchange for a token.

Where it goes wrong is going from auth0/authorize -> ADFS -> login/callback is the auth0 cookie belonging to my domain does not get fowarded because SameSite is not set. I end up with the “identity - oops something went wrong… could not find your session” frowny face page.

This is what I expected to go wrong since POST is considered unsafe and does not forward cookies under lax. If I manually edit that cookie to SameSide=none things go fine.

Since these cookies are set by my auth0 domain, I’m not sure what I need to change or set to make it set that correctly. From here

As I read it, for the auth0 cookie I’m interested in, "For these cookies, Auth0 will:

  • Set the sameSite attribute to none , with the cookie requiring the use of HTTPS (regardless of environment)."

Am I missing something or should I take it to mean that part should “just work”?