7:04 a.m.
Hi,
I believe there is a bug in the keycloak-gatekeeper in that when it sets cookies they
apply to the subdomains of the host. This causes any other services on those subdomains
that are running keycloak-gatekeeper to fail when the cookie is present.
For example, let's say we are running keycloak-gatekeeper on the following URLs:
1. mydomain.com
2. sub.mydomain.com
If a user logs in to mydomain.com and then tries to visit sub.mydomain.com the service
will fail (infinite redirect loop) as the cookie from the first service will be applied to
the second service.
In terms of the cookie, the problem is caused by this piece of code:
https://github.com/keycloak/keycloak-gatekeeper/blob/master/cookies.go#L3...
If you read section 4.1.2.3 of https://tools.ietf.org/html/rfc6265#section-4.1.2 it
implies that if you set the 'Domain' attribute in that fashion it will propagate
down to subdomains.
It seems that to prevent this the 'Domain' attribute should simply be omitted.
I've created a PR for this here:
https://github.com/keycloak/keycloak-gatekeeper/pull/480
Do you agree? If so, can we get this fix merged?
Best regards,
Daniel Martin.
Please ensure that any communication with the Home Office is via an official account
ending with digital.homeoffice.gov.uk or homeoffice.gsi.gov.uk. This email and any files
transmitted with it are private and intended solely for the use of the individual or
entity to whom they are addressed. If you have received this email in error please return
it to the address it came from telling them it is not for you and then delete it from your
system. Communications via the digital.homeoffice.gov.uk domain may be automatically
logged, monitored and/or recorded for legal purposes. This email message has been swept
for computer viruses.
1:45 p.m.
Hi Daniel, thanks for reporting this. As we discussed on that PR, please
file a Jira adding the steps to reproduce, affected version and
everything that's recommended in the contribution guidelines. So we can
start to look at the issue.
At first glance, it looks like a bug.
On 2019-06-14, Daniel Martin wrote:
Hi,
I believe there is a bug in the keycloak-gatekeeper in that when it sets cookies they
apply to the subdomains of the host. This causes any other services on those subdomains
that are running keycloak-gatekeeper to fail when the cookie is present.
For example, let's say we are running keycloak-gatekeeper on the following URLs:
1. mydomain.com
2. sub.mydomain.com
If a user logs in to mydomain.com and then tries to visit sub.mydomain.com the service
will fail (infinite redirect loop) as the cookie from the first service will be applied to
the second service.
In terms of the cookie, the problem is caused by this piece of code:
https://github.com/keycloak/keycloak-gatekeeper/blob/master/cookies.go#L3...
If you read section 4.1.2.3 of https://tools.ietf.org/html/rfc6265#section-4.1.2 it
implies that if you set the 'Domain' attribute in that fashion it will propagate
down to subdomains.
It seems that to prevent this the 'Domain' attribute should simply be omitted.
I've created a PR for this here:
https://github.com/keycloak/keycloak-gatekeeper/pull/480
Do you agree? If so, can we get this fix merged?
Best regards,
Daniel Martin.
Please ensure that any communication with the Home Office is via an official account
ending with digital.homeoffice.gov.uk or homeoffice.gsi.gov.uk. This email and any files
transmitted with it are private and intended solely for the use of the individual or
entity to whom they are addressed. If you have received this email in error please return
it to the address it came from telling them it is not for you and then delete it from your
system. Communications via the digital.homeoffice.gov.uk domain may be automatically
logged, monitored and/or recorded for legal purposes. This email message has been swept
for computer viruses.
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
abstractj
11:41 a.m.
Hi Bruno,
I've created at JIRA at https://issues.jboss.org/browse/KEYCLOAK-10668 and updated the
PR to reference it.
Best regards,
Daniel.
________________________________
From: Bruno Oliveira <bruno(a)abstractj.org>
Sent: 14 June 2019 19:45
To: Daniel Martin
Cc: keycloak-dev(a)lists.jboss.org
Subject: Re: [keycloak-dev] keycloak-gatekeeper - Cookies being applied to subdomains
Hi Daniel, thanks for reporting this. As we discussed on that PR, please
file a Jira adding the steps to reproduce, affected version and
everything that's recommended in the contribution guidelines. So we can
start to look at the issue.
At first glance, it looks like a bug.
On 2019-06-14, Daniel Martin wrote:
Hi,
I believe there is a bug in the keycloak-gatekeeper in that when it sets cookies they
apply to the subdomains of the host. This causes any other services on those subdomains
that are running keycloak-gatekeeper to fail when the cookie is present.
For example, let's say we are running keycloak-gatekeeper on the following URLs:
1. mydomain.com
2. sub.mydomain.com
If a user logs in to mydomain.com and then tries to visit sub.mydomain.com the service
will fail (infinite redirect loop) as the cookie from the first service will be applied to
the second service.
In terms of the cookie, the problem is caused by this piece of code:
https://github.com/keycloak/keycloak-gatekeeper/blob/master/cookies.go#L3...
If you read section 4.1.2.3 of https://tools.ietf.org/html/rfc6265#section-4.1.2 it
implies that if you set the 'Domain' attribute in that fashion it will propagate
down to subdomains.
It seems that to prevent this the 'Domain' attribute should simply be omitted.
I've created a PR for this here:
https://github.com/keycloak/keycloak-gatekeeper/pull/480
Do you agree? If so, can we get this fix merged?
Best regards,
Daniel Martin.
Please ensure that any communication with the Home Office is via an official account
ending with digital.homeoffice.gov.uk or homeoffice.gsi.gov.uk. This email and any files
transmitted with it are private and intended solely for the use of the individual or
entity to whom they are addressed. If you have received this email in error please return
it to the address it came from telling them it is not for you and then delete it from your
system. Communications via the digital.homeoffice.gov.uk domain may be automatically
logged, monitored and/or recorded for legal purposes. This email message has been swept
for computer viruses.
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
abstractj
Please ensure that any communication with the Home Office is via an official account
ending with digital.homeoffice.gov.uk or homeoffice.gsi.gov.uk. This email and any files
transmitted with it are private and intended solely for the use of the individual or
entity to whom they are addressed. If you have received this email in error please return
it to the address it came from telling them it is not for you and then delete it from your
system. Communications via the digital.homeoffice.gov.uk domain may be automatically
logged, monitored and/or recorded for legal purposes. This email message has been swept
for computer viruses.
2039
days inactive
2042
days old
2 comments
2 participants
participants (2)
-
Bruno Oliveira -
Daniel Martin