Hello,
I have two applications, appA and appB, mapped on the same realm to two different clients. Users can succesfully authenticate on both and share the auth cookies while browsing from one to the other.
i.e.: user logs in in appA then follows a link to appB and is automatically authenticated without any login form.
Now I want to open a page from appB inside an iframe in appA. When the appA page is opened, the authentication loops with redirects and finally I get the “Too many redirects” message inside the iframe.
I have configured the Content-security-policy in the realm settings page, adding appA to the frame-ancestors property.
Do you have any idea about the cause of this problem?
Reading posts and documentation I discovered that the Keycloak cookie that is set for appB must have the Samesite=none attribute.
I’ve tested it using Chrome developer tools and magically the iframe gets rendered.
Now I just need some help to configure Keycloak to automatically add the Samesite=none attribute to its cookies.
Is it something that can be done from the Admin console? From the configuration file (docker)? From jboss?
Thank you for your hint. Unfortunately that wasn’t the case, because X-Frame-Options has been replaced by the frame-ancestors option inside the Content-Security-Policy attribute and it’s not related to cookie creation.
Anyway I believe that I found a solution to this specific problem: the cookie options are not set by keycloak, but from the client application.
In my case (a .NET application using Owin.Security.Keycloak-3 library from MattMorgan) I just had to set this two properties in startup.cs:
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = circularInvestAuthType,
CookieSameSite = SameSiteMode.None,
CookieSecure = CookieSecureOption.Always
});
1 Like
Hi Jacopo!
I understand that you have two different web applications in one REALM and both can share the same coookie. I am currently trying to set up something similar. We have a web app A and we want to provide a link that redirects to web app B, ideally using the same cookie.
Did you use any specific option for this? I found this option for version 21.0.2 (latest as of now) Securing Applications and Services Guide so we are not sure if we should use it in production.
If you didn’t use this option, could you let me know what you have configured specifically for a) the REALM and for b) both apps, app A and app B.
Best and thanks
Hi,
I’m using an old version of Keycloak (10) and I really don’t want to upgrade it, since it’s working fine.
I’ve left pretty much the default settings for the Realm. Here’s the Security defenses tab:
This is one of the two clients settings page (same as the other one, except for the urls)
AppB (the one where the user is automatically authenticated, if he has a token in AppA) starts the authentication process. I’m posting code from .NET because this is what I’m using:
if (!Request.IsAuthenticated)
{
HttpContext.GetOwinContext().Authentication.Challenge(
new AuthenticationProperties { RedirectUri = Request.Url.ToString() },
"KeycloakAuthType");
}
In the above example “KeycloakAuthType” is the name of the authentication defined in startup.cs.
If you have any specific question let me know.
1 Like