Cookie issue with google chrome Version 84.0.4147.125 (http can't set cookie for browser) request_forbidden.

[tienvnz98]

Hello!
I having a issue with google chrome version 84.0.4147.125. The browsers can't set the cookie in headers response from ory/hydra (public port).

When I request to below url and login success. Hydra server response error request_forbidden.

Request:
https://<host_name>/oauth2/auth?client_id=web-client&redirect_uri=https%3A%2F%2F<my_hostname>%2Fcallback&scope=openid%20offline&response_type=code&state=ddg9w3hxk5q9semh5pu48c

Respose: request_forbidden

Server LOG: 
time="2020-08-14T06:52:29Z" level=error msg="An error occurred" debug="No CSRF value available in the session cookie" description="The request is not allowed" error=request_forbidden hint="You are not allowed to perform this action.",

But it work good on chromium and firefox.Look like chrome can't set the Cookie oauth2_authentication_csrf to browser. This is my screen shot on 3 browsers.

Chrome with warning:

Chromium and firefox work good.

[aeneasr]

Thank you for the report, we are currently working on a fix. Here's our report for now.

---

Google Chrome changed the behavior of SameSite=None so that it is not possible to use
this SameSite mode without the HTTP Cookie secure flag.

If you run a version of ORY Hydra 1.6 and below and experience this issue:

• Make sure to not use the --dangerous-force-http flag
• Set configuration value serve.cookies.same_site_mode or environment variable SERVE_COOKIES_SAME_SITE_MODE to
  Lax - this happens automatically for ORY Hydra 1.7+ when running in HTTP mode.

[aeneasr]

https://github.com/ory/hydra/blob/master/docs/docs/debug/csrf.mdx#same-site-in-chrome

[qingbolove]

Still got this issue on oryd/hydra:v1.0.8， chrome 114.0.5735.198， if I remove --dangerous-force-http flag, it will tell me "Config file not found because "Config File ".hydra" Not Found in "/""