[keycloak-user] SameSite and Secure

Matthew Broadhead matthew.broadhead at nbmlaw.co.uk
Tue Oct 8 03:40:22 EDT 2019 

the server is using httpd (apache) httpd-2.4.6-90.el7.centos.x86_64

here is a screenshot of my cookies in chrome developer tools
https://imgur.com/nkxHgWu

keycloak and the websites are hosted on different domains but on the 
same box

you might be onto something with the ssl settings.  i remember with 
4.5.0 i had to disable ssl behind the proxy but cannot remember how or 
why.  now i have upgraded to 7.0.0 i am getting this message so maybe i 
need to change the settings...

On 07/10/2019 18:55, Max Allan wrote:
> Hi Matthew,
>
> I note that it is only cookies without "samesite" that are not 
> "secure" that will be affected.
> I expect that you are running keycloak over http to a proxy and the 
> proxy is not securing your cookies.
> You don't mention which proxy you are using. There is a module for 
> nginx : nginx_cookie_flag
> However, I consider that to be mostly a bodge for masking other 
> issues. Use it as last resort.
>
> You may need to ensure your proxy passes the correct headers for 
> access to be detected as "SSL". I think if you fail to add 
> "X-Forwarded-Proto" (and possibly Port) then keycloak sort of assumes 
> your connection is over HTTP and does not secure cookies.
>  You can maybe check by inspecting some of the redirects and if they 
> include http URLs rather than https. Your proxy probably then 
> redirects everyone to https anyway, but fixing it at source is better. 
> This sort of thing often causes CORS errors as well because requests 
> are going from one url (http....) to a different one (https....)
>
> And/Or, you can configure Keycloak' SSL policy:
> https://lists.jboss.org/pipermail/keycloak-user/2017-September/011888.html
> I think that is a case of setting "require SSL" for all/external in 
> the Realm Settings.BUT IIRC that assumes you've got the header coming 
> through correctly or it will reject ALL attempts to login. (Which is 
> embarrassing because you cannot login to change the setting back! 
> Always make sure you have a backup and know how to restore it before 
> changing any settings!!)
> Also, if the proxy is on the same box, the connection appears to be 
> local, so the "external" setting doesn't help!
>
> Max
>
>     ---------- Forwarded message ----------
>     From: Matthew Broadhead <matthew.broadhead at nbmlaw.co.uk
>     <mailto:matthew.broadhead at nbmlaw.co.uk>>
>     To: Bruno Oliveira <bruno at abstractj.org <mailto:bruno at abstractj.org>>
>     Cc: keycloak-user <keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>>
>     Bcc:
>     Date: Mon, 7 Oct 2019 16:41:44 +0200
>     Subject: Re: [keycloak-user] SameSite and Secure
>     Hi Bruno,
>
>     i see the warnings in exactly the same version of chrome as you
>     Version
>     77.0.3865.90 (Official Build) (64-bit) in fedora
>
>     the same warning is showing in the console for a JSF application and
>     vue.js application and says the cookie originates from the domain
>     where
>     my keycloak installation is located.
>
>     i will continue to check if it is a problem with my httpd proxy i
>     just
>     thought you should know about this message
>
>     On 07/10/2019 11:31, Bruno Oliveira wrote:
>     > Hi Matthew, even though I agree that this is something we should
>     > consider to Keycloak, I don't see the warnings you mentioned in the
>     > latest release using Chrome 77.0.3865.90 (Official Build) (64-bit).
>     >
>     > Could you please provide the steps to reproduce the issue?
>     >
>
>
>

More information about the keycloak-user mailing list