Menu
Recently my application using Keycloak stopped working with a 400 token request after authenticating.
What I found so far is that within the token request, the Keycloak cookies (AUTH_SESSION_ID, KEYCLOAK_IDENTITY, KEYCLOAK_SESSION) are not sent within the request headers causing the request for a token to fail and the application gets a session error.
By digging more, I found that Chrome blocks now cookies without SameSite attribute set, which is the case for the keycloak cookies and that's why they are never parsed within the token acquisition request after authenticating.
The error I get:-
https://blog.chromium.org/2019/10/developers-get-ready-for-new.html
https://adzerk.com/blog/chrome-samesite/
This is very serious as it blocks applications secured by Keycloak library to be able to communicate with the keycloak server.
Update: With the new google chrome cookie SameSite attribute, any third party library using cookies without SameSite attribute properly set, the cookie will be ignored. https://blog.chromium.org/2019/10/developers-get-ready-for-new.html
https://www.chromium.org/updates/same-site
381
If you are facing this issue while using keycloak-js adapter.
Then the reason for this issue:
By default, the JavaScript adapter creates a hidden iframe that is used to detect if a Single-Sign Out has occurred. This does not require any network traffic, instead the status is retrieved by looking at a special status cookie.
Workaround (Not a fix):
This feature can be disabled by setting checkLoginIframe: false in the options passed to the init method.
eg.,
keycloak.init({ onLoad: 'login-required', checkLoginIframe: false })
71
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
