Hello!
I having a issue with google chrome version 84.0.4147.125. The browsers can't set the cookie in headers response from ory/hydra (public port).
When I request to below url and login success. Hydra server response error request_forbidden.
Request:
https://<host_name>/oauth2/auth?client_id=web-client&redirect_uri=https%3A%2F%2F<my_hostname>%2Fcallback&scope=openid%20offline&response_type=code&state=ddg9w3hxk5q9semh5pu48c
Respose: request_forbidden
Server LOG:
time="2020-08-14T06:52:29Z" level=error msg="An error occurred" debug="No CSRF value available in the session cookie" description="The request is not allowed" error=request_forbidden hint="You are not allowed to perform this action.",
But it work good on chromium and firefox.Look like chrome can't set the Cookie oauth2_authentication_csrf to browser. This is my screen shot on 3 browsers.
Chrome with warning:

Chromium and firefox work good.


Thank you for the report, we are currently working on a fix. Here's our report for now.
Google Chrome changed the behavior of SameSite=None so that it is not possible to use
this SameSite mode without the HTTP Cookie secure flag.
If you run a version of ORY Hydra 1.6 and below and experience this issue:
--dangerous-force-http flagserve.cookies.same_site_mode or environment variable SERVE_COOKIES_SAME_SITE_MODE toLax - this happens automatically for ORY Hydra 1.7+ when running in HTTP mode.
Most helpful comment
Thank you for the report, we are currently working on a fix. Here's our report for now.
Google Chrome changed the behavior of
SameSite=Noneso that it is not possible to usethis SameSite mode without the HTTP Cookie
secureflag.If you run a version of ORY Hydra 1.6 and below and experience this issue:
--dangerous-force-httpflagserve.cookies.same_site_modeor environment variableSERVE_COOKIES_SAME_SITE_MODEtoLax- this happens automatically for ORY Hydra 1.7+ when running in HTTP mode.