Figured it out with the help of @lsenjov. :same-site in the cookie attributes was set to :strict , needed to be :lax to get the same cookie when redirecting back from the oauth authorisation.