spring boot 2.1+(spring framework 5.1+) applies `samesite=Lax` attribute to session cookie by default
After boot 2.1, DefaultCookieSerializer applies samesite=lax attribute by default. As a result, the security risk was decreased.
But in the OAuth2 authentication process, OAuth2 provider can pass the data by POST method. It can't work with samesite=lax attribute(A browser won't send cookie).
You can configure the default behavior by following bean definition.
@Bean
public CookieSerializer cookieSerializer() {
DefaultCookieSerializer cookieSerializer = new DefaultCookieSerializer();
cookieSerializer.setSameSite(null);
return cookieSerializer;
}