Extra data point from nginx access logs:
A representative failure (2026-01-25 11:44:10 UTC) shows the OIDC callback request is coming from an iOS in-app browser UA (Snapchat), not the Discourse iOS app webview UA:
GET /auth/oidc/callback?...state=... 302
UA: Mozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac OS X) ... Snapchat/13.76.1.0 (like Safari/..., panda)
Referer: https://login.microsoftonline.com/
Immediately followed by:
GET /auth/failure?message=csrf_detected&strategy=oidc
So it looks like the OAuth flow is sometimes initiated inside an iOS in-app browser (Snapchat/other),
then the handoff occurs (I’ve also seen logs containing auth_redirect=discourse://auth_redirect),
and the session cookie/state doesn’t survive consistently.
Current setting: SiteSetting.same_site_cookies = "Lax".
Question: is Discourse’s mobile app auth flow expected to be reliable when the login is initiated from iOS in-app browsers that then deep-link into the Discourse app?
Would switching same_site_cookies to “None” be the recommended mitigation here, or is there a better approach?