as Max mentioned.
Another alternative is to add this to our adapters, but that would be
a feature request and also there's no guarantee if you have a proxy in
between.
If you would like to try, SameSite was introduced on Gatekeeper last
week[1] and should be available on the next release.
[1] -
On Tue, Oct 8, 2019 at 4:41 AM Matthew Broadhead
<matthew.broadhead(a)nbmlaw.co.uk> wrote:
the server is using httpd (apache) httpd-2.4.6-90.el7.centos.x86_64
here is a screenshot of my cookies in chrome developer tools
https://imgur.com/nkxHgWu
keycloak and the websites are hosted on different domains but on the
same box
you might be onto something with the ssl settings. i remember with
4.5.0 i had to disable ssl behind the proxy but cannot remember how or
why. now i have upgraded to 7.0.0 i am getting this message so maybe i
need to change the settings...
On 07/10/2019 18:55, Max Allan wrote:
> Hi Matthew,
>
> I note that it is only cookies without "samesite" that are not
> "secure" that will be affected.
> I expect that you are running keycloak over http to a proxy and the
> proxy is not securing your cookies.
> You don't mention which proxy you are using. There is a module for
> nginx : nginx_cookie_flag
> However, I consider that to be mostly a bodge for masking other
> issues. Use it as last resort.
>
> You may need to ensure your proxy passes the correct headers for
> access to be detected as "SSL". I think if you fail to add
> "X-Forwarded-Proto" (and possibly Port) then keycloak sort of assumes
> your connection is over HTTP and does not secure cookies.
> You can maybe check by inspecting some of the redirects and if they
> include http URLs rather than https. Your proxy probably then
> redirects everyone to https anyway, but fixing it at source is better.
> This sort of thing often causes CORS errors as well because requests
> are going from one url (http....) to a different one (https....)
>
> And/Or, you can configure Keycloak' SSL policy:
>
https://lists.jboss.org/pipermail/keycloak-user/2017-September/011888.html
> I think that is a case of setting "require SSL" for all/external in
> the Realm Settings.BUT IIRC that assumes you've got the header coming
> through correctly or it will reject ALL attempts to login. (Which is
> embarrassing because you cannot login to change the setting back!
> Always make sure you have a backup and know how to restore it before
> changing any settings!!)
> Also, if the proxy is on the same box, the connection appears to be
> local, so the "external" setting doesn't help!
>
> Max
>
> ---------- Forwarded message ----------
> From: Matthew Broadhead <matthew.broadhead(a)nbmlaw.co.uk
> <mailto:matthew.broadhead@nbmlaw.co.uk>>
> To: Bruno Oliveira <bruno(a)abstractj.org
<mailto:bruno@abstractj.org>>
> Cc: keycloak-user <keycloak-user(a)lists.jboss.org
> <mailto:keycloak-user@lists.jboss.org>>
> Bcc:
> Date: Mon, 7 Oct 2019 16:41:44 +0200
> Subject: Re: [keycloak-user] SameSite and Secure
> Hi Bruno,
>
> i see the warnings in exactly the same version of chrome as you
> Version
> 77.0.3865.90 (Official Build) (64-bit) in fedora
>
> the same warning is showing in the console for a JSF application and
> vue.js application and says the cookie originates from the domain
> where
> my keycloak installation is located.
>
> i will continue to check if it is a problem with my httpd proxy i
> just
> thought you should know about this message
>
> On 07/10/2019 11:31, Bruno Oliveira wrote:
> > Hi Matthew, even though I agree that this is something we should
> > consider to Keycloak, I don't see the warnings you mentioned in the
> > latest release using Chrome 77.0.3865.90 (Official Build) (64-bit).
> >
> > Could you please provide the steps to reproduce the issue?
> >
>
>
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user