I have my website (https://myapp.mycompany.com) that needs to be protected and I use keycloak’s OIDC workflow to perform user authentication. I use nginx / openresty to accept any http requests sent to https://myapp.mycompany.com and the openresty calls keycloak's endpoint (https://iam.mycompany.com/*) to perform the authentication.
The login process goes like this:
Step 1:
When I enter the url (www.myapp.mycompany.com) in browser, the GET http request will have a response that redirects me to keycloak’s page to enter username and password:
https://iam.mycompany.com/auth/realms/myapp/protocol/openid-connect/
auth?
response_type=code
&
client_id=myapp
&
state=1uhd87f1y34851u43807r
&
redirect_uri=https%3A%2F%2Fwww.mywebsite.com%2Fredirect_uri
&
nonce=905u24p8yhr27834y8249135
&
scope=openid%20email%20profile
Step 2:
As I enter my username and password in the above url, the keycloak service verifies the crendentials and returns the following response with authorization code:
location header:
https://www.myapp.mycompany.com/
redirect_uri?
state=3452wrfdfye56y35
&
session_state=345265fgw45gvrtye56
&
code=8904ujdf8qhy347ty48jfq896347y583jedf897q345
* Set-Cookie: KEYCLOAK_LOCALE=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/myapp/; Secure; HttpOnly
* Set-Cookie: KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/myapp/; Secure; HttpOnly
* Set-Cookie: KEYCLOAK_IDENTITY=InN1YiI6ImY4YzMwYzY2LTZiNTItNGZjOC1iYmFiLWJiOTAyZWE3ZjE3MSIsInR5cCI6IlNlcmlhbGl6ZWQtSUQiLCJzZXNzaW9uX3N0Y; Version=1; Path=/auth/realms/myapp/; SameSite=None; Secure; HttpOnly
* Set-Cookie: KEYCLOAK_IDENTITY_LEGACY=324534589ejfnjxbfyqe...; Version=1; Path=/auth/realms/myapp/; Secure; HttpOnly
* Set-Cookie: KEYCLOAK_SESSION=myapp/374895839hf34fhs89yd8f934; Version=1; Expires=Wed, 13-Jan-2021 00:54:57 GMT; Max-Age=129600; Path=/auth/realms/myapp/; SameSite=None; Secure
* Set-Cookie: KEYCLOAK_SESSION_LEGACY=myapp/736413hr7fbuh457134; Version=1; Expires=Wed, 13-Jan-2021 00:54:57 GMT; Max-Age=129600; Path=/auth/realms/myapp/; Secure
* Set-Cookie: KEYCLOAK_REMEMBER_ME=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/myapp/; Secure; HttpOnly
Step 3:
The browser will make a request to the above url (in step 2) and it will get a response with 2 response cookies:
session: qEK7aLdr8k7e3s52M0hQMCjMH40SYpasAoydu... domain: .mywebsite.com
session_2: h-5o_oWIRdoReypUwYY2YsLS_A... domain: .mywebsite.com
step 4:
At this point, the authentication is finished. For any future http requests made to www.mywebsite.com/*, the browser will sent the 2 tokens (session and session_2) along with the request and I can visit the resource.
I have searched over the internet and keycloak documentation I cannot find any information about the 2 tokens with the name session and session_2.
What are they and why are they named session and session_2??