Users login in via an OAuth server and are redirected to an API route in my NextJS 14 application. This API route is located in the root domain ("http://localhost:3000/api/callback"). It sets some cookies and then redirects the users to a subdomain ("http://tenant1.localhost:3000/dashboard").

When the redirect happens, the browser receives a 307 response with the cookies in the request response header as expected. However, when the browser sends the new GET request to the subdomain URL (in response to the redirect), it doesn't include the cookies.

If I do a redirect to the root domain, the GET request does include the cookies.

How can I include the cookies in the request to the subdomain?

I have tried every possible combination of cookie settings that I can think of (same-site, domain, secure, http-only, etc.) This is how it currently stands:

import { cookies } from 'next/headers';

    cookies().set({
      name: 'access_token',
      value: access_token,
      httpOnly: false,
      domain: 'localhost',
      secure: true,
      sameSite: 'none',
      maxAge: data.expires_in,
    });

The redirect is currently hardcoded like this:

redirect('http://tenant1.localhost:3000/dashboard');

I also tried to set the domain field in the cookie to things like ".localhost", "localhost:3000", and "tenant1.localhost", but nothings seems to work. I must be missing something very basic...

Thanks!