In my testing, responseMode: "form_post" and pkceEnabled: true don't work together. I believe this may be because form_post adds a redirect, and the SameSite=lax rules filters out the cookie(s) storing the code verifier (and/or Payload's auth cookie?) when you're redirected back to the callback endpoint. Tested in current Firefox and Chrome. Not sure what the best fix here would be.
...I don't know if pkceEnabled and form_post are both required in the wild though. I've been testing with a homelab auth provider, not Apple, so I can just turn off form_post.
In my testing,
responseMode: "form_post"andpkceEnabled: truedon't work together. I believe this may be because form_post adds a redirect, and the SameSite=lax rules filters out the cookie(s) storing the code verifier (and/or Payload's auth cookie?) when you're redirected back to the callback endpoint. Tested in current Firefox and Chrome. Not sure what the best fix here would be....I don't know if pkceEnabled and form_post are both required in the wild though. I've been testing with a homelab auth provider, not Apple, so I can just turn off form_post.