Status: Closed (View Workflow)
Affects Version/s: 9.0.3
Fix Version/s: 11.0.0
Sprint:Keycloak Sprint 40
Steps to Reproduce:
1. Download Chrome Canary https://www.google.com/chrome/canary/
2. Enable SameSite feature:
3. Run chrome with flags: chrome --enable-features=SameSiteDefaultChecksMethodRigorously --enable-features=ShortLaxAllowUnsafeThreshold
To disable temporary POST+Lax intervention that makes everything work in current released chrome1. Download Chrome Canary https://www.google.com/chrome/canary/ 2. Enable SameSite feature: 3. Run chrome with flags: chrome --enable-features=SameSiteDefaultChecksMethodRigorously --enable-features=ShortLaxAllowUnsafeThreshold To disable temporary POST+Lax intervention that makes everything work in current released chrome 4. Try to login using IDP that requires SAML POST Binding. If Keycloak is used as IDP, then it is this option:
Git Pull Request:
Docs QE Status:NEW
New SameSite policy in Chrome sets SameSite=Lax by default to cookies without SameSite attribute.
- Let's have a SAML IdP using POST binding.
- User initiates authentication using this IdP.
- User logs in to the IdP.
- IdP performs final POST "redirect" back to Keycloak. SameSite=Lax removes cookies from this request and therefore Keycloak losts its session (AUTH_SESSION_ID cookie).
Solution: Set SameSite=None to AUTH_SESSION_ID cookie.
When using SAML POST-binding to identity provider, Keycloak issues SAML AuthnRequest in http-POST request
After authentication, Identity provider answers with http-POST request containing SAML Response
There is AUTH_SESSION_ID cookie
If SameSite is not set (current behaviour in 9.0.3 and in master), then it will be treated as `SameSite=Lax`
If Keycloak sets `SameSite=Strict` (As in acceptance criteria), then it is `SameSite=Strict`
In both cases AUTH_SESSION_ID cookie will not be sent in POST request from idp site to keyloak site, as per rfc:
POST method is not considered as "safe" = everything that is not `SameSite=None` will be rejected when using saml post binding.
What happens if cookie is not present:
Defaulting to SameSite=Lax (if no SameSite is present) may stop work in the future when chromium starts to enforce Lax and remove workarounds.
“Lax + POST” is an intervention for Lax-by-default cookies (cookies that don’t specify a `SameSite` attribute) which allows these cookies to be sent on top-level cross-site POST requests if they are at most 2 minutes old. “Normal” Lax cookies are not sent on cross-site POST requests (or any other cross-site requests with a non-idempotent HTTP method such as PUT). This intervention was put in place to mitigate breakage to some POST-based login flows.