Keycloak SameSite Cookie Attribute

Cookie anyone?

The latest version of the Google Chrome browser has activated default setting for SameSite cookies. Cookies that don’t specify a SameSite attribute are treated as if they were SameSite=Lax. Sites must specify SameSite=None in order to enable third-party usage.

Google has warned previously when this change will take effect. I believe we are not the only developers who missed this information and started having problems recently.

The change has broken our web applications Keycloak authentication the day it went live. Finding the problem wasn’t easy as Google Chrome browser update is not done immediately when a new version is released. Therefore, in the beginning, only a few of our users were experiencing authentication failures, while the developers could not reproduce the problem.

The solution in our case

To solve the problem you need to install Keycloak version 8.0.2 which already addresses the problem.

As long as the Keycloak server is not upgraded you can instruct your users to disable the ‘SameSite by default cookies’ flag in Google Chrome by navigating to chrome://flags/ and disable the setting:

Testing your site

Testing your site for this problem is simple thanks to a new feature in Google Chrome developer tools.

Checkbox to filter for problematic requests.

Note: I’ve been getting a lot of hits on this article recently, might be you are having the same logon redirect loop issue I have been dealing with recently.

Programming in assembly, c, c++, java, javascript, typescript. Interested in 3d graphics, visual effects, demoscene, dsp, c64, cycling, climbing…