Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hey guys, I am having an issue with "session_inactive" returned when linking OIDC provider via settings flow
We're encountering a `401 Unauthorized` with `id: session_inactive` when calling the *`/self-service/settings` flow (browser)* to link a Google account, even though the user has a valid active session(`whoami` returns 200)

Reproduction Steps:
User logs in (browser flow), session is active, cookie `ory_kratos_session=...` is present in all requests.
User opens the settings flow: `GET /self-service/settings/browser`
Kratos serves the settings form as expected.
User submits OIDC link request (via POST) using the `flow.ui.action` and `method=oidc` & `link=google`
Kratos responds with (after user selected his account on google page):

```{
"error": {
    "id": "session_inactive",
     "code": 401,
     "status": "Unauthorized",
     "reason": "No active session was found in this request."
 }
}```
Really interesting issue that I don't know how to overcome (OIDC works perfectly for the login flow).
We are using self-hosted Ory Kratos v1.1.0.

The issue was that we issue cookies with same_site = Strict which is prevents sending continuity cookie from oidc callback back to our app.
same_site=None\Lax works