[keycloak-user] set session cookie domain?

Bill Burke bburke at redhat.com
Mon Oct 26 10:57:18 EDT 2015

These are browser based apps?  If so, Keycloak *ALREADY* does this. 
Obtaining claims is not done by cookies, but rather the SSO protocol 
(OpenID Connect or SAML).

On 10/26/2015 10:21 AM, keycloak-user.myq at xoxy.net wrote:
> My goal is to have several web services (which reside at sub1.domain.com
> <http://sub1.domain.com>, sub2.domain.com <http://sub2.domain.com>,
> etc.) all redirect users to auth.domain.com <http://auth.domain.com> for
> login. When a user is logged in and visits one of the web services, the
> web service should be able to get the user's identity from a claim
> signed by the authentication service (keycloak). The only way I know of
> to do this is to pass a claim in a cookie.
> Ideally, the web service should be able to verify the identity claim
> without needing to emit an HTTP request to the auth service (by
> verifying the signature against the realm's public key).
> Is keycloak the right choice for this? and if not, do you have any
> recommendations?
> On Mon, Oct 26, 2015 at 9:49 AM, Marek Posolda - mposolda at redhat.com
> <mailto:mposolda at redhat.com>
> <keycloak-user.myq.aa3199607d.mposolda#redhat.com at ob.0sg.net
> <mailto:keycloak-user.myq.aa3199607d.mposolda#redhat.com at ob.0sg.net>> wrote:
>     This doesn't seem to be supported. Question is why you need it? All
>     the cookies like KEYCLOAK_IDENTITY are set by keycloak server and
>     it's just the keycloak server, which is supposed to read them.
>     Marek
>     On 26/10/15 14:26, keycloak-user.myq at xoxy.net
>     <mailto:keycloak-user.myq at xoxy.net> wrote:
>>     Hello. How can I set the domain of session cookies?
>>     I want to run keycloak at auth.mydomain.com
>>     <http://auth.mydomain.com> and get the session cookies (for SSO)
>>     at other subdomains of mydomain.com <http://mydomain.com>.
>>     Browsers will allow sub.domain.com <http://sub.domain.com> to set
>>     cookies for domain.com <http://domain.com>, but I can't figure out
>>     how to get Keycloak to do this.
>>     Thanks in advance!
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

Bill Burke
JBoss, a division of Red Hat

More information about the keycloak-user mailing list