finally the problem was due to the “sameSite: ‘strict’”, the domain of my external login is not the same of my site, so the cookie was not accessible because the requests to my callback came from an external domain and the redirection was to an internal domain, so the cookie did not exist, this was fixed using the rule “sameSite: ‘lax’”