Keycloak 8.0.2 migration problem vs 'SameSite by default cookie' in Chrome

I’m trying to migrate from version 7.0.0 to version 8.0.2 of the keycloak server.
7.0.0 is in production and working very well for several months.

My application is an Angular (v 8) web application with a spring boot (2.2.4) backend API

with these versions of libs:
keycloak-angular@7.1.0 (latest version)
keycloak-js@7.0.1
keycloak server 8.0.2
Java: keycloak*8.0.2.jar
*** application work well ***

But

first: if I enable: ‘SameSite by default cookie’ in chrome://flags/ I get this error:

VM1457 polyfills.js:6163 POST http://local-iam- int:8180/auth/realms/bondtrader_local/protocol/openid-connect/token 400 (Bad Request)

second: after changing keycloak-js to the latest version (8.0.2 or 8.0.1) I get this error:

Access to XMLHttpRequest at ‘http://local-iam-int:8180/auth/realms/bondtrader_local/protocol/openid-connect/token’ from origin ‘http://local-btclt:4200’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

This CORS error is present with or without ‘SameSite by default cookie’ enable.

Can you help with these questions:

  1. anyone is using keycloak-angular with keycloak 8.0.2
  2. anyone try Keycloak with enable: ‘SameSite by default cookie’ in chrome://flags/

Thanks

Hi,

I’m in the process of setting up a project with Angular + Keycloak 9.0.0 and was reading about the new changes since Keycloak 8.0.2 in the cookie settings needed for updates that are made in Chrome 80+

The release note I mentioned can be found here
https://www.keycloak.org/docs/latest/release_notes/#samesite-cookie-changes-with-upcoming-google-chrome-update

I’ve read also the following https://www.keycloak.org/docs/latest/securing_apps/index.html#session-status-iframe but this doesn’t seem to have any negative effects that I can see for now when developing locally.

As a test I created a new client with the following settings

This setup seems to work, maybe you forgot to set the Web Origins?

My Angular init is as follows:

    await keycloak.init({
      config: keycloakConfig,
      initOptions: {
        onLoad: 'login-required',
        checkLoginIframe: true // true or false doesn't seem to have an impact 
      },
      bearerExcludedUrls: []
    });

I try with a fresh install of 9.0.0 and CORS error still present.
But when I change: Access Type to public error goes away and it work.

Problem seems to be related to “secret” passing between client & server.
I will double check.

If you’re connecting from a Javascript application then it needs to be public.
If you pass a secret through Javascript then it’s not really a secret anymore.

1 Like