[keycloak-user] SameSite and Secure
Max Allan
max.allan+keycloak at surevine.com
Mon Oct 7 12:55:37 EDT 2019
Hi Matthew,
I note that it is only cookies without "samesite" that are not "secure"
that will be affected.
I expect that you are running keycloak over http to a proxy and the proxy
is not securing your cookies.
You don't mention which proxy you are using. There is a module for nginx :
nginx_cookie_flag
However, I consider that to be mostly a bodge for masking other issues. Use
it as last resort.
You may need to ensure your proxy passes the correct headers for access to
be detected as "SSL". I think if you fail to add "X-Forwarded-Proto" (and
possibly Port) then keycloak sort of assumes your connection is over HTTP
and does not secure cookies.
You can maybe check by inspecting some of the redirects and if they
include http URLs rather than https. Your proxy probably then redirects
everyone to https anyway, but fixing it at source is better. This sort of
thing often causes CORS errors as well because requests are going from one
url (http....) to a different one (https....)
And/Or, you can configure Keycloak' SSL policy:
https://lists.jboss.org/pipermail/keycloak-user/2017-September/011888.html
I think that is a case of setting "require SSL" for all/external in the
Realm Settings. BUT IIRC that assumes you've got the header coming through
correctly or it will reject ALL attempts to login. (Which is embarrassing
because you cannot login to change the setting back! Always make sure you
have a backup and know how to restore it before changing any settings!!)
Also, if the proxy is on the same box, the connection appears to be local,
so the "external" setting doesn't help!
Max
> ---------- Forwarded message ----------
> From: Matthew Broadhead <matthew.broadhead at nbmlaw.co.uk>
> To: Bruno Oliveira <bruno at abstractj.org>
> Cc: keycloak-user <keycloak-user at lists.jboss.org>
> Bcc:
> Date: Mon, 7 Oct 2019 16:41:44 +0200
> Subject: Re: [keycloak-user] SameSite and Secure
> Hi Bruno,
>
> i see the warnings in exactly the same version of chrome as you Version
> 77.0.3865.90 (Official Build) (64-bit) in fedora
>
> the same warning is showing in the console for a JSF application and
> vue.js application and says the cookie originates from the domain where
> my keycloak installation is located.
>
> i will continue to check if it is a problem with my httpd proxy i just
> thought you should know about this message
>
> On 07/10/2019 11:31, Bruno Oliveira wrote:
> > Hi Matthew, even though I agree that this is something we should
> > consider to Keycloak, I don't see the warnings you mentioned in the
> > latest release using Chrome 77.0.3865.90 (Official Build) (64-bit).
> >
> > Could you please provide the steps to reproduce the issue?
> >
>
>
>
>
More information about the keycloak-user
mailing list