Login/Register
Keycloak: Session cookies are missing within the token request with the new Chrome SameSite/Secure cookie enforcement
Asked Answered
Solved google-chromesingle-sign-onredhatkeycloakkeycloak-services
R

3

13

Recently my application using Keycloak stopped working with a 400 token request after authenticating.

What I found so far is that within the token request, the Keycloak cookies (AUTH_SESSION_ID, KEYCLOAK_IDENTITY, KEYCLOAK_SESSION) are not sent within the request headers causing the request for a token to fail and the application gets a session error.

By digging more, I found that Chrome blocks now cookies without SameSite attribute set, which is the case for the keycloak cookies and that's why they are never parsed within the token acquisition request after authenticating.

The error I get:-

enter image description here https://blog.chromium.org/2019/10/developers-get-ready-for-new.html

https://adzerk.com/blog/chrome-samesite/

This is very serious as it blocks applications secured by Keycloak library to be able to communicate with the keycloak server.

Update: With the new google chrome cookie SameSite attribute, any third party library using cookies without SameSite attribute properly set, the cookie will be ignored. https://blog.chromium.org/2019/10/developers-get-ready-for-new.html

https://www.chromium.org/updates/same-site

Roguish answered 10/3, 2020 at 16:42 Comment(3)
Does this issue resolve things for you? issues.redhat.com/browse/KEYCLOAK-12125Lucinalucinda
@Lucinalucinda yes, just found out about this. But I'm relying on red hat version so will need to wait for an update from their end or try a workaround..Roguish
I will leave this post as it might be helpful for people who are going to experience this with the new google chrome update rollout. chromium.org/updates/same-siteRoguish
R
1

For those who are looking for a short time solution until they update their libraries.

You can do the following in Chrome:-

  • Go to chrome://flags/
  • Search for "Samesite"
  • Disable "SameSite by default cookies" and "Cookies without SameSite must be secure" flags.
  • Relaunch.
Roguish answered 24/4, 2020 at 1:37 Comment(1)
Those flags no longer exist in the current version of Chrome.Cryometer
I
8

If you are facing this issue while using keycloak-js adapter.

Then the reason for this issue:

By default, the JavaScript adapter creates a hidden iframe that is used to detect if a Single-Sign Out has occurred. This does not require any network traffic, instead the status is retrieved by looking at a special status cookie.

Workaround (Not a fix):

This feature can be disabled by setting checkLoginIframe: false in the options passed to the init method.

eg.,

keycloak.init({ onLoad: 'login-required', checkLoginIframe: false })

Inglebert answered 25/8, 2020 at 23:12 Comment(3)
That's correct but note that the iframe usage is very useful for many cases such as detect a logout from a second tab etc unless you extra control your app with websocket calls. You will need to update your keycloak server to fix this issue as they have released a version to support that.Roguish
Agree. That is why I mentioned it as workaround. Definitely this has to be fixed in the back end to pass SameSite attribute.Inglebert
Looking at the release notes, I think this was addressed in v8.0.2.Pentadactyl
R
1

For those who are looking for a short time solution until they update their libraries.

You can do the following in Chrome:-

  • Go to chrome://flags/
  • Search for "Samesite"
  • Disable "SameSite by default cookies" and "Cookies without SameSite must be secure" flags.
  • Relaunch.
Roguish answered 24/4, 2020 at 1:37 Comment(1)
Those flags no longer exist in the current version of Chrome.Cryometer
E
1

With Chrome 91+ the settings in flags are gone, but accessible with commandline, with 94 these settings are not accessible.

It is possible to use Firefox or Safari meanwhile.

Exertion answered 24/9, 2021 at 14:27 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.