Authenticator Callback - Cannot invoke "javax.servlet.http.HttpSession.getId()" because "httpSession" is null

Setting the cookie configuration (https://stackoverflow.com/questions/57505939/how-to-set-samesite-cookie-in-tomcats-cookie-processor) to "lax" via the init script solved the problem.

Thanks for the debug Michael Schröder. I indeed imagine it's not possible to do OpenID Connect with SameSite=Strict session cookie since 90% of the time OpenID Connect is a ping/pong between two different domains). I feel like this is related to the help chart in some way, as you are the first one to report this problem. XWiki does not set samesite, and Tomcat documentation seems to suggest it does not it either by default.