CookiePolicyOptions sets minimumsamesitelevel to lax by default and that breaks oauth providers

[javiercn]

This happens when you plug-in the cookie policy middleware on the app and use an oauth provider for authentication.

[Eilon]

We don't believe there is anything safe we can do right now. Here are some thoughts from our discussion:

1. Changing the default SameSite cookie policy to a less-secure option (from Lax to None) is not an option because that can be dangerous for sites.
2. We could add a way for cookies to declare themselves as "I don't care about no stinkin' policy", and we would do that for the cookies used with remote providers (e.g. OAuth, OIDC, WsFed).
3. We could add new features to policies to make them named and have different types of policies apply to different types of cookies.

[Eilon]

@blowdart - let's discuss when you're back whether we can lower the default to None.

[muratg]

Triage: We can drop this to None only if we check ALL the cookies the ASP.NET stack drops to see if they have appropriate value.