Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-4342

Cookie store and cookie path

    XMLWordPrintable

    Details

      Description

      Hello,

      I'm working on a web application on which I have the security following security constraints constraints :

      / --> public
      /authent --> private
      /userInfo --> private 
      

      I use the Spring Keycloak adapter configured like that:

      keycloak.securityConstraints[0].securityCollections[1].name = Client stuff
      keycloak.securityConstraints[0].securityCollections[1].authRoles[0] = client
      keycloak.securityConstraints[0].securityCollections[1].patterns[0] = /authent
      
      keycloak.securityConstraints[0].securityCollections[0].name = Client stuff
      keycloak.securityConstraints[0].securityCollections[0].authRoles[0] = client
      keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /userInfo
      keycloak.token-store=cookie
      

      The /authent is used to get redirected to the Keykloak server when needed and, when the authentication process is successful, it sets a KEYCLOAK_ADAPTER_STATE cookie with the access token, the id token and the refresh token concatenated, but it defines it only for /authent, so when the browser hits the /userInfo endpoint, it is done without the KEYCLOAK_ADAPTER_STATE cookie and it gets another HTTP 302, which is not fine because it implies another authentication process.

      This behavior seems to be not consistent with the session token store because the JSESSIONID cookie is defined for the root path even when it is hit from /authent which avoids unnecessary authentication processes.

        Attachments

          Activity

            People

            Assignee:
            pcraveiro Pedro Igor Craveiro
            Reporter:
            blep Brice LEPORINI (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: