I’m seeing OIDC failures in Discourse logs: `CSRFTokenVerifier::InvalidCSRFToken` on `/auth/oidc` (POST)

Ethsim2 · February 11, 2026, 7:26am

Hi all,

I’m running Discourse 2026.2.0-latest (26f3e2aa87)
(Docker install, default nginx template, no Cloudflare). I have OpenID Connect enabled (Microsoft Entra / Azure AD).

When a user tries to sign up / log in via OIDC, Discourse records an error:

(oidc) Authentication failure! CSRFTokenVerifier::InvalidCSRFToken

In the log entry I can see the request is:

REQUEST_URI: /auth/oidc
REQUEST_METHOD: POST
Referrer: /signup

same_site_cookies is currently set to Lax.

My working theory is that the IdP is returning using response_mode=form_post (cross-site POST), so with SameSite=Lax the session cookie may not be included on the callback, causing Discourse’s CSRF verification to fail.

Questions:

Is setting same_site_cookies = None the recommended / supported fix for OIDC providers that use form_post callbacks?
If not, is there a recommended way to configure Discourse OIDC (or the IdP) so the callback is a GET (query) rather than form_post, to avoid needing SameSite=None?
Are there any security/compatibility caveats with SameSite=None specifically for Discourse OIDC signups/logins?

Thanks!

Topic		Replies	Views
OIDC login via Discourse iOS app occasionally fails with csrf_detected on callback SSO openid-connect	4	64	February 2, 2026
CSRF problem in development with 'Discourse OpenID Connect' plug-in Dev	8	1008	October 28, 2023
"Authentication failure! csrf_detected: OmniAuth::Strategies::OAuth2::CallbackError" Error due to missing session["omniauth.state"] SSO unsupported-install	5	5195	May 29, 2020
OAuth2 Authentication Failure: CSRF Detected Error SSO oauth2	0	117	April 29, 2025
OAuth2 csrf_detected with Discord 'Connect' functionality SSO	15	2146	July 6, 2022

I’m seeing OIDC failures in Discourse logs: `CSRFTokenVerifier::InvalidCSRFToken` on `/auth/oidc` (POST)

Related topics