#Client sign-in OAuth not working after Deployment

I tested google OAuth sign-in on localhost, and it did work as expected, but when deployed the backend and storefront (https), something weird occurs...

As the process goes: Google login screen, prompts to select account, then after selecting a google account, starts loading, creates user at backend (I checked it's there) and then redirects success to storefront with access_token in the url params as expected.

But when trying to navigate to Account-page (/account), loads back the login screen. It turned out that storefront didn't set the jwt_cookie after the redirect.. no errors/info on either client/backend. I tried to log the access_token from headers in storefront, and showed undefined, whereas in localhost it is there!

if i take the access_token and put it in the browser cookies it works

Also, I tried the default manual account sign-up and login, and it works as expected

deployed logs:

token from getMedusaHeaders undefined

headers from getCustomer { next: { tags: [ 'customer' ] }, authorization: '' }

Localhost logs:

token from getMedusaHeaders eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJkb21haW4iOiJ...

headers from getCustomer {
  next: { tags: [ 'customer' ] },
  authorization: 'Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJkb21haW4iOiJ...
}

Also tried switching ENV from development to production, didn't change anything

Does anyone know what might be the case here?

The issue is cross domain cookies

In lax mode it will send cross domain cookies only when a top level reques is sent

So I need to change the cookie set config to allow cross domain cookies?

I tried changing the sameSite value to none, but didn't change anything.

How can I handle such case?

I've currently this setup in storefront:

cookies().set("_medusa_jwt", access_token, {
          maxAge: 60 * 60 * 24 * 7,
          httpOnly: true,
          sameSite: "lax",
          secure: process.env.APP_ENV === "production",
          domain: process.env.APP_DOMAIN,
        })

Is this right? what else might I need?

Try secure: TRUE.. same site none

I tried many possible combinations of values, but looks like it's not the case.

I actually found out that this getToken() function is used only for backend Auth, and the google OAuth doesn't use this function.

I tried removing the function while logging with google locally, and it did work.

The strange thing is that it's the only function that does cookies.set("_medusa_jwt", access_token).

One sec ..is thos for admin or storefront

storefront, where can i change the admin ones?