Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-16032

Origin Header is null

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Explained
    • 11.0.2, RH-SSO-7.4.6
    • None
    • Account - Console, RH-SSO, SAML
    • Hide

      using docker-compose for keycloak 7 :

      keycloak7:

      image: jboss/keycloak:7.0.0
      container_name: komgo-keycloak-7
      environment:

      • KEYCLOAK_USER=keycloak
      • KEYCLOAK_PASSWORD=keycloak
      • KEYCLOAK_REALM_NAME=thomas
        ports:
      • 9090:8443

      for Keycloak 11 :

      keycloak11:
      image: jboss/keycloak:11.0.2
      container_name: komgo-keycloak
      environment:

      • KEYCLOAK_USER=keycloak
      • KEYCLOAK_PASSWORD=keycloak
      • KEYCLOAK_REALM_NAME=thomas
        ports:
      • 8090:8443

      Using Chrome or Firefox, login to admin console as administrator and chech under dev console header for authenticate.

      I'm using Keycloak behind proxy server, for security reason, it block when origin is null ( and this is a good practice).

      This behavior come from KEYCLOAK-14232 (but i don't have access to it) to understand why.

      BrowserSecurityHeaders.java :

          X_FRAME_OPTIONS("xFrameOptions", "X-Frame-Options", "SAMEORIGIN"),
          CONTENT_SECURITY_POLICY("contentSecurityPolicy", "Content-Security-Policy", ContentSecurityPolicyBuilder.create().build()),
          CONTENT_SECURITY_POLICY_REPORT_ONLY("contentSecurityPolicyReportOnly", "Content-Security-Policy-Report-Only", ""),
          X_CONTENT_TYPE_OPTIONS("xContentTypeOptions", "X-Content-Type-Options", "nosniff"),
          X_ROBOTS_TAG("xRobotsTag", "X-Robots-Tag", "none"),
          X_XSS_PROTECTION("xXSSProtection", "X-XSS-Protection", "1; mode=block"),
          STRICT_TRANSPORT_SECURITY("strictTransportSecurity", "Strict-Transport-Security", "max-age=31536000; includeSubDomains"),
          REFERRER_POLICY("referrerPolicy", "Referrer-Policy", "no-referrer"),
      
      Show
      using docker-compose for keycloak 7 : keycloak7: image: jboss/keycloak:7.0.0 container_name: komgo-keycloak-7 environment: KEYCLOAK_USER=keycloak KEYCLOAK_PASSWORD=keycloak KEYCLOAK_REALM_NAME=thomas ports: 9090:8443 for Keycloak 11 : keycloak11: image: jboss/keycloak:11.0.2 container_name: komgo-keycloak environment: KEYCLOAK_USER=keycloak KEYCLOAK_PASSWORD=keycloak KEYCLOAK_REALM_NAME=thomas ports: 8090:8443 Using Chrome or Firefox, login to admin console as administrator and chech under dev console header for authenticate. I'm using Keycloak behind proxy server, for security reason, it block when origin is null ( and this is a good practice). This behavior come from KEYCLOAK-14232 (but i don't have access to it) to understand why. BrowserSecurityHeaders.java : X_FRAME_OPTIONS( "xFrameOptions" , "X-Frame-Options" , "SAMEORIGIN" ), CONTENT_SECURITY_POLICY( "contentSecurityPolicy" , "Content-Security-Policy" , ContentSecurityPolicyBuilder.create().build()), CONTENT_SECURITY_POLICY_REPORT_ONLY( "contentSecurityPolicyReportOnly" , "Content-Security-Policy-Report-Only" , ""), X_CONTENT_TYPE_OPTIONS( "xContentTypeOptions" , "X-Content-Type-Options" , "nosniff" ), X_ROBOTS_TAG( "xRobotsTag" , "X-Robots-Tag" , "none" ), X_XSS_PROTECTION( "xXSSProtection" , "X-XSS-Protection" , "1; mode=block" ), STRICT_TRANSPORT_SECURITY( "strictTransportSecurity" , "Strict-Transport-Security" , "max-age=31536000; includeSubDomains" ), REFERRER_POLICY( "referrerPolicy" , "Referrer-Policy" , "no-referrer" ),
    • NEW
    • NEW
    • ---
    • ---

    Description

      This issue is impacted Admin console but also all login page.

      In Keycloak 7, when authtenticate to access to admin console, by default selected referrer policy is set to "strict-origin-when-cross-origin" then request header contain origin = http(s)://<FQDN>

      In Keycloak 11, when authenticate to access to admin console, by default selected referrer policy is set to "no-refferer" then request header contain origin = null

      Attachments

        1. keycloak11-origin.png
          keycloak11-origin.png
          2 kB
        2. keycloak11-refpol.png
          keycloak11-refpol.png
          31 kB
        3. keycloak7-origin.png
          keycloak7-origin.png
          4 kB
        4. keycloak7-ref-pol.png
          keycloak7-ref-pol.png
          32 kB

        Issue Links

          Activity

            People

              mhajas@redhat.com Michal Hajas
              thomas.gauroy Thomas GAUROY (Inactive)
              Votes:
              1 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: