Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Keycloak: Session cookies are missing within the token request with the new Chrome SameSite/Secure cookie enforcement

Recently my application using Keycloak stopped working with a 400 token request after authenticating.

What I found so far is that within the token request, the Keycloak cookies (AUTH_SESSION_ID, KEYCLOAK_IDENTITY, KEYCLOAK_SESSION) are not sent within the request headers causing the request for a token to fail and the application gets a session error.

By digging more, I found that Chrome blocks now cookies without SameSite attribute set, which is the case for the keycloak cookies and that's why they are never parsed within the token acquisition request after authenticating.

The error I get:-

enter image description here https://blog.chromium.org/2019/10/developers-get-ready-for-new.html

https://adzerk.com/blog/chrome-samesite/

This is very serious as it blocks applications secured by Keycloak library to be able to communicate with the keycloak server.

Update: With the new google chrome cookie SameSite attribute, any third party library using cookies without SameSite attribute properly set, the cookie will be ignored. https://blog.chromium.org/2019/10/developers-get-ready-for-new.html

https://www.chromium.org/updates/same-site

like image 381
Ziko Avatar asked Mar 10 '20 16:03

Ziko


1 Answers

If you are facing this issue while using keycloak-js adapter.

Then the reason for this issue:

By default, the JavaScript adapter creates a hidden iframe that is used to detect if a Single-Sign Out has occurred. This does not require any network traffic, instead the status is retrieved by looking at a special status cookie.

Workaround (Not a fix):

This feature can be disabled by setting checkLoginIframe: false in the options passed to the init method.

eg.,

keycloak.init({ onLoad: 'login-required', checkLoginIframe: false })

like image 71
Nagendra Darla Avatar answered Sep 27 '22 22:09

Nagendra Darla