Ensure OIDC login works in combination with SameSite strict settings of open-api-framework

[alextreme]

open-api-framework issue, raised by @sergei-maertens

SESSION_COOKIE_SAMESITE = config(
    "SESSION_COOKIE_SAMESITE",
    "Strict",
    help_text=(
        "The value of the SameSite flag on the session cookie. This flag prevents the "
        "cookie from being sent in cross-site requests thus preventing CSRF attacks and "
        "making some methods of stealing session cookie impossible."
    ),
)

This doesn't work well with Google OIDC (and likely Azure since someone else was running into similar issues). It needs to be set to "Lax". Note that this probably not a problem as soon as you are logged in to google, keycloak can then re-use the existing google session, but for the first login, shit breaks

Suggested workaround: set the session cookie to 'lax' during the oidc login-flow using a custom middleware in mozilla-django-oidc-db, and revert it back to 'strict' afterwards

[sergei-maertens]

Workaround being tested/applied here: GPP-Woo/GPP-publicatiebank#29

[alextreme]

@Coperh discussed with Sergei and please set the default to Lax for now, this should be sufficient for the AMS issue (as the complaint was that SameSite wasn't set)

[joeribekker]

All components that use the latest OAf will not work with OIDC due to this.
Currently:

• Open Zaak 🔧[maykinmedia/open-api-framework#68] fix CSP errors open-zaak/open-zaak#1772
• Open Notifications 🔧[maykinmedia/open-api-framework#68] fix CSP errors open-zaak/open-notificaties#190
• Objects API 🔧[maykinmedia/open-api-framework#68] fix CSP errors objects-api#458
• Objecttypes 🔧[makinmedia/open-api-framework#68] fix CSP errors objecttypes-api#131

Apply workaround that Sergei mentioned.