In Keycloak 25, I’ve noticed that the SameSite attribute for my cookies is set to “None,” or blank and I’m concerned about the potential security implications. I would like to know why it defaults to this value and how I can configure it to “Lax” or “Strict” instead.
The SameSite value is hard-coded by cookie type and the only override is on the “Secure” field which can be enforced by setting “SslRequired” on the realm.
Keycloak version 26 goes further to take control away by enforcing “LAX” when the URL isn’t secure which can cause breakage when you’re behind a routing layer that terminate SSL.
Unless they open this up to configuration your only option is to implement a custom CookieProvider SPI.
I actually bumped into a situation with SAML Identity Provider where in our prod env we get “cookie_not_found” but in stage it works.
I noticed that the cookies are set with “SameSite” = None in stage yet “Strict” in prod…
We have all settings on Identity provider and clients exactly the same though and all I read suggests this can’t even be set in keyclaok so how is it possible?