Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-13206

Session Status iframe cannot access cookies when 3rd party cookies are blocked

    XMLWordPrintable

    Details

    • Sprint:
      Keycloak Sprint 40, Keycloak Sprint 41
    • Security Sensitive Issue:
      This issue is security relevant
    • Steps to Reproduce:
      Hide
      1. Use Safari Technical Preview. Alternatively, use Firefox and set it to block all 3rd party cookies in Enhanced Tracking Protection.
      2. Use the JS adapter and make sure checkLoginIframe is not set to false. You can use e.g. js-console from our examples. Make sure the app and Keycloak are running on completely different domains (not just subdomains) to be treated as cross-site.
      3. You will be logged out a few seconds after authentication. That is when the session iframe inits.
      Show
      Use Safari Technical Preview. Alternatively, use Firefox and set it to block all 3rd party cookies in Enhanced Tracking Protection . Use the JS adapter and make sure checkLoginIframe is not set to false . You can use e.g. js-console from our examples. Make sure the app and Keycloak are running on completely different domains (not just subdomains) to be treated as cross-site. You will be logged out a few seconds after authentication. That is when the session iframe inits.
    • Workaround:
      Workaround Exists
    • Estimated Difficulty:
      Medium
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      What

      Browsers are starting to block 3rd party cookies by default (currently only Safari with more to join). JS adapter uses Session Status iframe to support single sign-out. The iframe cannot access cookies (because they're treated as 3rd party), it's taken as if user logged out in some other context, tokens are cleared and user is logged out from the app.

      How

      • Detect when something like this happen and disable the session iframe.
      • When user is logged out, don't delete KEYCLOAK_SESSION cookie (that is used by the iframe), but set it to some special value instead. This way the iframe can differ between user really logged out and cookies blocking.

      Original report

      While calling Keycloak.updateToken(999) keycloak is initiating a request with empty refresh token.

      I debugged this in keycloak library (keycloak.js) and found on line 1229-1231 a check was being fired (unchanged) and it was clearing token. This issue is occurring for specific browser of PC (some safari for MAC has this issue but on chrome it works fine and same goes for window Chrome). Whereas, same keycloak code do works without any error on most of PCs.

      For a time being I've commented command on line 1230 ( kc.clearToken(); ) as a work around.

      Any help would be appreciated that as if why keycloak is firing changed / unchanged event and what could be the source of this bug.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              vmuzikar Václav Muzikář
              Reporter:
              muhammad.hani10p Muhammad hani (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: