Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-12125

Applying new Policies for insecure cookies with SameSite=none issued by Keycloak

    Details

    • Sprint:
      Keycloak Sprint 34
    • Affects:
      Release Notes
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      Browsers in future versions will enforce that insecure Cookies with SameSite=none are rejected. Please make sure that all Cookies by Keycloak follows this guidelines.
      New default value used for SameSite attribute will be Lax".

      See https://www.chromestatus.com/feature/5633521622188032 and https://www.chromestatus.com/feature/5088147346030592

      Update 9/Jan

      At this point we believe the only thing affect in Keycloak is keycloak.js or any third-party libraries/client that are using the OIDC session status iframe.

      A work-around until we have a resolution is to disable the session-iframe, which will have the side-effect that SPA/HTML5 applications will not notice the user has logged-out from a different application until the application is re-loaded or the token is refreshed. For details on how to disable the session status iframe see https://www.keycloak.org/docs/latest/securing_apps/index.html#session-status-iframe

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  vmuzikar Václav Muzikář
                  Reporter:
                  buehlmann Benjamin Buehlmann
                  Involved:
                  Bruno Oliveira da Silva, Michal Hajas, Václav Muzikář
                • Votes:
                  11 Vote for this issue
                  Watchers:
                  32 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: