Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-10668

keycloak-gatekeeper - Cookies being applied to subdomains

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Done
    • None
    • 8.0.0
    • Gatekeeper
    • 1
    • Hide

      1. Set-up keycloak-gatekeeper on a domain and one of its subdomains.
      2. Log-in to the domain.
      3. Attempt to visit the subdomain.

      Show
      1. Set-up keycloak-gatekeeper on a domain and one of its subdomains. 2. Log-in to the domain. 3. Attempt to visit the subdomain.
    • NEW
    • NEW

    Description

      By setting the domain attribute on the cookie we were allowing the
      cookie to be applied to subdomains where it may not be valid and may
      interfere with other services protected by keycloak-gatekeeper.

      For example, let's say we are running keycloak-gatekeeper on the following URLs:

      mydomain.com
      sub.mydomain.com

      If a user logs in to mydomain.com and then tries to visit sub.mydomain.com the service will fail (infinite redirect loop) as the cookie from the first service will be applied to the second service.

      In terms of the cookie, the problem is caused by this piece of code: https://github.com/keycloak/keycloak-gatekeeper/blob/master/cookies.go#L30-L34

      If you read section 4.1.2.3 of https://tools.ietf.org/html/rfc6265#section-4.1.2 it implies that if you set the 'Domain' attribute in that fashion it will propagate down to subdomains.

      It seems that to prevent this the 'Domain' attribute should simply be omitted.

      Attachments

        Activity

          People

            boliveir_managed_kafka_security (inactive user) Bruno Oliveira Silva (Inactive)
            dacm_ukho Daniel Martin (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: