I believe there is a bug in the keycloak-gatekeeper in that when it sets cookies they
apply to the subdomains of the host. This causes any other services on those subdomains
that are running keycloak-gatekeeper to fail when the cookie is present.
For example, let's say we are running keycloak-gatekeeper on the following URLs:
If a user logs in to mydomain.com
and then tries to visit sub.mydomain.com
will fail (infinite redirect loop) as the cookie from the first service will be applied to
the second service.
In terms of the cookie, the problem is caused by this piece of code:
If you read section 188.8.131.52 of https://tools.ietf.org/html/rfc6265#section-4.1.2
implies that if you set the 'Domain' attribute in that fashion it will propagate
down to subdomains.
It seems that to prevent this the 'Domain' attribute should simply be omitted.
I've created a PR for this here:
Do you agree? If so, can we get this fix merged?
Please ensure that any communication with the Home Office is via an official account
ending with digital.homeoffice.gov.uk or homeoffice.gsi.gov.uk. This email and any files
transmitted with it are private and intended solely for the use of the individual or
entity to whom they are addressed. If you have received this email in error please return
it to the address it came from telling them it is not for you and then delete it from your
system. Communications via the digital.homeoffice.gov.uk domain may be automatically
logged, monitored and/or recorded for legal purposes. This email message has been swept
for computer viruses.