2:40 a.m.
the server is using httpd (apache) httpd-2.4.6-90.el7.centos.x86_64
here is a screenshot of my cookies in chrome developer tools
https://imgur.com/nkxHgWu
keycloak and the websites are hosted on different domains but on the
same box
you might be onto something with the ssl settings. i remember with
4.5.0 i had to disable ssl behind the proxy but cannot remember how or
why. now i have upgraded to 7.0.0 i am getting this message so maybe i
need to change the settings...
On 07/10/2019 18:55, Max Allan wrote:
Hi Matthew,
I note that it is only cookies without "samesite" that are not
"secure" that will be affected.
I expect that you are running keycloak over http to a proxy and the
proxy is not securing your cookies.
You don't mention which proxy you are using. There is a module for
nginx : nginx_cookie_flag
However, I consider that to be mostly a bodge for masking other
issues. Use it as last resort.
You may need to ensure your proxy passes the correct headers for
access to be detected as "SSL". I think if you fail to add
"X-Forwarded-Proto" (and possibly Port) then keycloak sort of assumes
your connection is over HTTP and does not secure cookies.
You can maybe check by inspecting some of the redirects and if they
include http URLs rather than https. Your proxy probably then
redirects everyone to https anyway, but fixing it at source is better.
This sort of thing often causes CORS errors as well because requests
are going from one url (http....) to a different one (https....)
And/Or, you can configure Keycloak' SSL policy:
https://lists.jboss.org/pipermail/keycloak-user/2017-September/011888.html
I think that is a case of setting "require SSL" for all/external in
the Realm Settings.BUT IIRC that assumes you've got the header coming
through correctly or it will reject ALL attempts to login. (Which is
embarrassing because you cannot login to change the setting back!
Always make sure you have a backup and know how to restore it before
changing any settings!!)
Also, if the proxy is on the same box, the connection appears to be
local, so the "external" setting doesn't help!
Max
---------- Forwarded message ----------
From: Matthew Broadhead <matthew.broadhead(a)nbmlaw.co.uk
<mailto:matthew.broadhead@nbmlaw.co.uk>>
To: Bruno Oliveira <bruno(a)abstractj.org <mailto:bruno@abstractj.org>>
Cc: keycloak-user <keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>>
Bcc:
Date: Mon, 7 Oct 2019 16:41:44 +0200
Subject: Re: [keycloak-user] SameSite and Secure
Hi Bruno,
i see the warnings in exactly the same version of chrome as you
Version
77.0.3865.90 (Official Build) (64-bit) in fedora
the same warning is showing in the console for a JSF application and
vue.js application and says the cookie originates from the domain
where
my keycloak installation is located.
i will continue to check if it is a problem with my httpd proxy i
just
thought you should know about this message
On 07/10/2019 11:31, Bruno Oliveira wrote:
> Hi Matthew, even though I agree that this is something we should
> consider to Keycloak, I don't see the warnings you mentioned in the
> latest release using Chrome 77.0.3865.90 (Official Build) (64-bit).
>
> Could you please provide the steps to reproduce the issue?
>