Issue Summary

Portal-only customers cannot authenticate cross-site requests to the JSM public API (e.g. to /rest/servicedeskapi/knowledgebase/article?query=article) using session-cookie-based auth in Chrome.

This is likely due to recent changes in Chrome to phase out third-party cookie usage (similar to what Safari has done: https://jira.atlassian.com/browse/JSDCLOUD-9287) in Chrome by 2022.

For now, this issue can be fixed by explicitly setting the `SameSite` value for customer account session cookies.

References:

• https://www.theverge.com/2020/1/14/21064698/google-third-party-cookies-chrome-two-years-privacy-safari-firefox
• https://www.chromestatus.com/feature/5088147346030592

Steps to Reproduce

1. Set up a service project in JSM with knowledge base
2. Create a portal-only user with access as a customer on this service project
3. Try to search and view the knowledge base authenticated as the portal-only customer from within a third party app (e.g. Refined Theme).

Expected Results

The portal-only customer can view the knowledge base article (same as an Atlassian account)

Actual Results

The user sees an error that "The action requires a logged in user. Please log in and try again." The API request fails with a 401 response.

Workaround

Use a different browser (e.g. Firefox).