From b67120ef79328773cab1bc53cdf293bee8679653 Mon Sep 17 00:00:00 2001
From: jenkins <jenkins@bstein.dev>
Date: Thu, 21 May 2026 01:54:24 -0300
Subject: [PATCH] agent(openclaw): isolate oauth cookie state

---
 services/openclaw/oauth2-proxy-agent.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/services/openclaw/oauth2-proxy-agent.yaml b/services/openclaw/oauth2-proxy-agent.yaml
index e441bdc3..e43dd4f7 100644
--- a/services/openclaw/oauth2-proxy-agent.yaml
+++ b/services/openclaw/oauth2-proxy-agent.yaml
@@ -97,8 +97,11 @@ spec:
             - --set-xauthrequest=true
             - --pass-access-token=true
             - --set-authorization-header=true
+            - --reverse-proxy=true
+            - --cookie-name=_oauth2_proxy_agent
             - --cookie-secure=true
             - --cookie-samesite=lax
+            - --cookie-csrf-per-request=true
             - --cookie-refresh=20m
             - --cookie-expire=168h
             - --insecure-oidc-allow-unverified-email=true