[keycloak-user] SameSite and Secure

Bruno Oliveira bruno at abstractj.org
Tue Oct 8 13:11:49 EDT 2019 

I believe on nginx can be configured to set SameSite
http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cookie_path
as Max mentioned.
Another alternative is to add this to our adapters, but that would be
a feature request and also there's no guarantee if you have a proxy in
between.

If you would like to try, SameSite was introduced on Gatekeeper last
week[1] and should be available on the next release.

[1] - https://github.com/keycloak/keycloak-gatekeeper

On Tue, Oct 8, 2019 at 4:41 AM Matthew Broadhead
<matthew.broadhead at nbmlaw.co.uk> wrote:
>
> the server is using httpd (apache) httpd-2.4.6-90.el7.centos.x86_64
>
> here is a screenshot of my cookies in chrome developer tools
> https://imgur.com/nkxHgWu
>
> keycloak and the websites are hosted on different domains but on the
> same box
>
> you might be onto something with the ssl settings.  i remember with
> 4.5.0 i had to disable ssl behind the proxy but cannot remember how or
> why.  now i have upgraded to 7.0.0 i am getting this message so maybe i
> need to change the settings...
>
> On 07/10/2019 18:55, Max Allan wrote:
> > Hi Matthew,
> >
> > I note that it is only cookies without "samesite" that are not
> > "secure" that will be affected.
> > I expect that you are running keycloak over http to a proxy and the
> > proxy is not securing your cookies.
> > You don't mention which proxy you are using. There is a module for
> > nginx : nginx_cookie_flag
> > However, I consider that to be mostly a bodge for masking other
> > issues. Use it as last resort.
> >
> > You may need to ensure your proxy passes the correct headers for
> > access to be detected as "SSL". I think if you fail to add
> > "X-Forwarded-Proto" (and possibly Port) then keycloak sort of assumes
> > your connection is over HTTP and does not secure cookies.
> >  You can maybe check by inspecting some of the redirects and if they
> > include http URLs rather than https. Your proxy probably then
> > redirects everyone to https anyway, but fixing it at source is better.
> > This sort of thing often causes CORS errors as well because requests
> > are going from one url (http....) to a different one (https....)
> >
> > And/Or, you can configure Keycloak' SSL policy:
> > https://lists.jboss.org/pipermail/keycloak-user/2017-September/011888.html
> > I think that is a case of setting "require SSL" for all/external in
> > the Realm Settings.BUT IIRC that assumes you've got the header coming
> > through correctly or it will reject ALL attempts to login. (Which is
> > embarrassing because you cannot login to change the setting back!
> > Always make sure you have a backup and know how to restore it before
> > changing any settings!!)
> > Also, if the proxy is on the same box, the connection appears to be
> > local, so the "external" setting doesn't help!
> >
> > Max
> >
> >     ---------- Forwarded message ----------
> >     From: Matthew Broadhead <matthew.broadhead at nbmlaw.co.uk
> >     <mailto:matthew.broadhead at nbmlaw.co.uk>>
> >     To: Bruno Oliveira <bruno at abstractj.org <mailto:bruno at abstractj.org>>
> >     Cc: keycloak-user <keycloak-user at lists.jboss.org
> >     <mailto:keycloak-user at lists.jboss.org>>
> >     Bcc:
> >     Date: Mon, 7 Oct 2019 16:41:44 +0200
> >     Subject: Re: [keycloak-user] SameSite and Secure
> >     Hi Bruno,
> >
> >     i see the warnings in exactly the same version of chrome as you
> >     Version
> >     77.0.3865.90 (Official Build) (64-bit) in fedora
> >
> >     the same warning is showing in the console for a JSF application and
> >     vue.js application and says the cookie originates from the domain
> >     where
> >     my keycloak installation is located.
> >
> >     i will continue to check if it is a problem with my httpd proxy i
> >     just
> >     thought you should know about this message
> >
> >     On 07/10/2019 11:31, Bruno Oliveira wrote:
> >     > Hi Matthew, even though I agree that this is something we should
> >     > consider to Keycloak, I don't see the warnings you mentioned in the
> >     > latest release using Chrome 77.0.3865.90 (Official Build) (64-bit).
> >     >
> >     > Could you please provide the steps to reproduce the issue?
> >     >
> >
> >
> >
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 
- abstractj

More information about the keycloak-user mailing list