issue with httponly cookies (state-mismatch)

[turbo2ltr]

I'm trying to use outline (docker) with a cloudflare tunnel and Azure.
The tunnel uses HTTPS, but between the tunnel client docker container and the outline Docker container, it's http.
When I try to log in with Azure, the login works, but when redirected back to outline, I get a state-mismatch error.

Looking at the cookies, the state is set, it's set for the correct public domain, and azure properly sends it back.
The issue i believe is when outline calls auth/azure and the cookie is set, it's set with the httponly flag. So my client, being on https cannot read it. I see some related answers for when using nginx as a proxy, but I'm not using that.
How do I fix this?

Edit: seems like I may have misunderstood the meaning of the httponly tag. So now I have no idea why it's not working.

[tommoor]

I'm not sure, sounds like you covered all the bases to be honest – but state mismatch means that the state value returned from Azure is not the same as the one that the server can access from the cookie.

Why is Cloudflare tunnel needed?

[turbo2ltr]

Yeah when I'm back on the outline login/error page it redirects back to, there are no cookies on that page.

Just an easy way to get docker containers running on linux, running in a VMWare VM on a windows laptop behind a publicly accessible SSL connection. I was having issues running locally with callbacks and lack of SSL trying to integrate with azure

[turbo2ltr]

When I click the "Login with Microsoft", I go to https://outline.mydomain.com/auth/azure which sets the cookie:

state=outline.mydomain.com|aexxxxxxxxab9|web; path=/; expires=Sat, 18 Nov 2023 14:32:16 GMT; domain=outline.mydomain.com; secure; httponly

The response is a 302 redirect to
https://login.microsoftonline.com/common/oauth2/authorize?prompt=select_account&resource=000[snip]000&originalQuery=&response_type=code&redirect_uri=https%3A%2F%2Foutline.mydomain.com%2Fauth%2Fazure.callback&scope=&state=aexxxxxxxxab9&client_id=[my client id]

Once I log in there is a call to https://login.microsoftonline.com/kmsi which sets a bunch of MS cookies and is a 302 to https://outline.mydomain.com/auth/azure.callback?. I won't post the whole var string but there is a state=aexxxxxxxxab9 in there as well as a "session_state" code.

That call to https://outline.mydomain.com/auth/azure.callback? sets one cookie:
state=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=outline.mydomain.com; secure; httponly

So for some reason when the callback is called, containing the state variable, the cookie gets cleared and it redirects to
https://outline.mydomain.com/?notice=auth-error

[turbo2ltr]

Uhg, I copied the "Secret ID" instead of the value. I saw "secret" and assumed it was the actual secret, but the "value" is the actual secret.

Edit: I should add that I think part of the issue may have been the server time was off meaning the cookie was expired as soon as it was written (?). In any case it works now.

Side note, the docs on this page https://docs.getoutline.com/s/hosting/doc/microsoft-azure-UVz6jsIOcv are slightly out of date as Active Directory is now called Entra ID

[tommoor]

Thanks, docs are updated to reflect