From 4daf986f3ee8471c25e95bf5b5e1821039123442 Mon Sep 17 00:00:00 2001
From: ChiaraBm <chiara.bm04@gmail.com>
Date: Mon, 9 Feb 2026 12:22:03 +0100
Subject: [PATCH] Added option for oidc to disable https only cookies for
 deployments using an ip

---
 Moonlight.Api/Configuration/OidcOptions.cs | 1 +
 Moonlight.Api/Startup/Startup.Auth.cs      | 6 ++++++
 2 files changed, 7 insertions(+)

diff --git a/Moonlight.Api/Configuration/OidcOptions.cs b/Moonlight.Api/Configuration/OidcOptions.cs
index a99cda3d..bf7c0625 100644
--- a/Moonlight.Api/Configuration/OidcOptions.cs
+++ b/Moonlight.Api/Configuration/OidcOptions.cs
@@ -4,6 +4,7 @@ public class OidcOptions
 {
     public string Authority { get; set; }
     public bool RequireHttpsMetadata { get; set; } = true;
+    public bool DisableHttpsOnlyCookies { get; set; }
     public string ResponseType { get; set; } = "code";
     public string[]? Scopes { get; set; }
     public string ClientId { get; set; }
diff --git a/Moonlight.Api/Startup/Startup.Auth.cs b/Moonlight.Api/Startup/Startup.Auth.cs
index 03560c09..2b42c4d9 100644
--- a/Moonlight.Api/Startup/Startup.Auth.cs
+++ b/Moonlight.Api/Startup/Startup.Auth.cs
@@ -74,6 +74,12 @@ public partial class Startup
                 options.Authority = oidcOptions.Authority;
                 options.RequireHttpsMetadata = oidcOptions.RequireHttpsMetadata;
 
+                if (oidcOptions.DisableHttpsOnlyCookies)
+                {
+                    options.NonceCookie.SecurePolicy = CookieSecurePolicy.SameAsRequest;
+                    options.CorrelationCookie.SecurePolicy = CookieSecurePolicy.SameAsRequest;
+                }
+
                 var scopes = oidcOptions.Scopes ?? ["openid", "email", "profile"];
 
                 options.Scope.Clear();