I don’t think that this can be done for security reasons. SameSite=Strict means that if user has been redirected or just clicked on link to your site (from other host), cookie shouldn’t be send. And redirecting is like ‘chaining’ requests. So if your server redirects to another and this server redirects back immediately with 3xx code, cookie will be sent, because your server is ‘on top’ of this chain.
However if you redirect to oauth provider and user has to allow there you to access his account it means that this ‘chain’ is broken, and cookie will no longer be sent even if your site sets it (it is set however not sent). Your redirect is just ‘extension’ of clicked ‘allow’ link.
If you want to prevent others from click-jacking your site, just use nonce in link if you think, that you have to prevent that kind of behavior, and it can be dangerous if you don’t. But consider that most providers are checking for you if redirect url was previously defined and allowed by your app.
Here are other solutions (use only if you know what you’re doing and can get on yourself 100% responsibility).
- Prepare site with ‘Continue to site’ link (cookie of course will be send after hitting link)
- Reload window with JavaScript
- Prepare site with JavaScript which will redirect user
- Combine first and third method to have cleaner solution, and working without JavaScript support in browser.
I have used second while developing, now I am using same site lax (this was default in Hapi up to maybe 15 ver, so it isn’t so bad).