Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hi everyone,

A while ago we had an issue with sharing ory session cookie inside an iframe and your team helped us a lot. This page settings are working fine now - <https://www.ory.sh/docs/hydra/guides/cookies> for most of the browsers.
We were able to share cookie in Chrome and Firefox, but it appears that for Safari hydra session cookie is not shared at all. And we are getting this error: *The resource owner or authorization server denied the request. The flow cookie is missing in the request.*
Looks like all our setup is at risk now. I wonder if there is a valid way to skip this cookie check before providing an access token by code, I mean this step - <https://www.ory.sh/docs/oauth2-oidc/authorization-code-flow#step-4-exchange-code-for-token>?

Thanks

This is a known limitation, see <https://ory-community.slack.com/archives/C02MR4DEEGH/p1692048818911859>
It is not secure to skip this check!
We are however working with another Hydra customer on a solution for this exact issue. <@U059YJ4ME0J> can get you details on a support contract to prioritize this.