In Keycloak 25, my cookies are showing a SameSite attribute value of "None" or blank instead of "Lax" or "Strict"; how can I configure this?

Hello Everyone,

In Keycloak 25, I’ve noticed that the SameSite attribute for my cookies is set to “None,” or blank and I’m concerned about the potential security implications. I would like to know why it defaults to this value and how I can configure it to “Lax” or “Strict” instead.

Any guidance on adjusting these settings would be greatly appreciated.

Thank you,
Sanjana

The short answer is “No”. If I’m wrong then I hope someone points it out because I haven’t found any way to configure this.

Here’s the code in play; keycloak/services/src/main/java/org/keycloak/cookie/DefaultCookieProvider.java at archive/release/25.0 · keycloak/keycloak · GitHub

The SameSite value is hard-coded by cookie type and the only override is on the “Secure” field which can be enforced by setting “SslRequired” on the realm.

25.0 Release cookie configs:

Keycloak version 26 goes further to take control away by enforcing “LAX” when the URL isn’t secure which can cause breakage when you’re behind a routing layer that terminate SSL.

Unless they open this up to configuration your only option is to implement a custom CookieProvider SPI.

I actually bumped into a situation with SAML Identity Provider where in our prod env we get “cookie_not_found” but in stage it works.

I noticed that the cookies are set with “SameSite” = None in stage yet “Strict” in prod…

We have all settings on Identity provider and clients exactly the same though and all I read suggests this can’t even be set in keyclaok so how is it possible?