Keycloak 9.0.0 - Cookies are not being sent with SameSite=None by the server

Hello, is there any setting I need to change in order for the KC cookies sent by the server will have the SameSite=None attribute?

I’ve successfully added the Secure attribute by changing the Require SSL setting to “all requests” under the Login tab of the Realm settings, but no idea how to make it add the SameSite=None attribute.

Also, all of those cookies are being sent with the HttpOnly attribute if that helps understanding the issue I have

Worth mentioning that I’m having issue with that when running the FE application from localhost in dev env, while the KC server is on a different url and this is what causes the issue, Chrome won’t accept the cookies sent by the KC server because they are missing the SameSite=None attribute

Keycloak version I’m using is 9.0.0

Thanks in advance

I have no perfect answer here but a hint: Keycloak is just a big java web app on the web application server (included) firefly which is a community edition of jboss.
The server defines the basic behavior for many things in its configuration and each app has a configuration as well - which may be dynamic (see your experience with http only).
There may be a chance by learning about this and possibly find a chance to reconfigure if there is no better way.

(Just my first hit on google)

Check out this bug report which seems relevant:

If it’s the same issue then jira says it’s fixed in Keycloak 11 and you should upgrade.

1 Like

Thanks, We’ve updated to version 11.0.0, It seems to be working, KC will not fail the auth but still, I don’t see that the cookies are sent with SameSite=None.
I guess if it works, than it doesn’t really matter though

@gabguy Not all cookies created by Keycloak needs to have SameSite=None, so we added the attribute only to those which break some of the functionality when the default value is used. Others are not accessed in such context which would require it.

Also, refer to the following documentation PR which describes a configuration that may be required on the application server side.

1 Like

Thank you for the answer!