Will a CORS request set/send a cookie with SameSite=Strict if the cookie's domain attribute is set to the client's domain?
For example, if I make a request from cors.com to cors-api.com, will this configuration allow my cookie to be set and sent?
Set-Cookie: MY_KEY=<MY_VALUE>; Secure; HttpOnly; Domain=cors.com; SameSite=Strict;
No, you cannot set a Domain value that does not match the site setting the cookie - the browser should reject this.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#Invalid_domains
The Domain is used to control if the cookie will be sent for subdomains of the originating site.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Scope_of_cookies
If you need cookies to be sent in a cross-site context, they must be set with SameSite=None; Secure.
Related
This project is on nuxtjs.
I don't think is important but maybe it can be some clue.
I need to get order detail information for using axios and below url.
/users/orders/d/20210806000349
but, very weird because axios doesn't request without cookies that url
of course i do set withCredentials: true already
when i change that url to /20210806000349 everyting is okay
someone help me about this?
I need more detail about domains but maybe api domain and nuxt domain are different. in this case you should care about CORS.
what is CORS
Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading of resources. CORS also relies on a mechanism by which browsers make a "preflight" request to the server hosting the cross-origin resource, in order to check that the server will permit the actual request. In that preflight, the browser sends headers that indicate the HTTP method and headers that will be used in the actual request.
MDN
what happen if you request to foreign domain?
user agent send an option request to foreign host
foreign host send response whit some header
user agent looks to Access-Control-Allow-Origin header and if its value is not equal to your domain block request
if request's withCredentials be true look at Access-Control-Allow-Credentials header and if its value be true send request with cookie. otherwise send request without cookie.
figure out myself
get request also preflight options request if domain is different
but in this case chrome doesn't show up options request
i check this on firefox
Why does the KEYCLOAK_SESSION cookie in Keycloak does not have HttpOnly flag set in first place as against other cookies?
As #besverino mentions in his comment, KeyCloak doesn't allow set KEYCLOAK_SESSION HttpOnly flag because KeyCloak needs to access the cookie from iFrame. Comment on this part of KeyCloak code is:
THIS SHOULD NOT BE A HTTPONLY COOKIE! It is used for OpenID Connect Iframe Session support!
References:
https://github.com/keycloak/keycloak/blob/16.1.1/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java#L751
https://lists.jboss.org/pipermail/keycloak-user/2017-September/011882.html
I'm currently trying to retrieve a user token from the keycloak token endpoint using a POST request (instead of using one of the designated adapters). I have set up a keycloak realm and added my own machine as a client. In the documentation the Token Endpoint is described as:
/realms/{realm-name}/protocol/openid-connect/token
As far as I have read in the openid specification, I will need to set the body parameter grant_type=authorization_code as well as the parameters code and redirect_uri. I will also need to set the Authorization header, for which I will need a Basic Token.
So far I will get the response:
"error": "unauthorized_client", "error_description":
"INVALID_CREDENTIALS: Invalid client credentials"
Where do I get the Basic Authorization Token from? I expected that I need to provide a username and a password, since the JWT token is what I'm trying to recieve as response. Do I need to set the redirect_url if I just want to request a token?
Keycloak offers more than one way to retrieve a user access token, following the OpenId Connect spec. Here you have the steps to do it for Authorization code flow (the one recommended for web applications) according to the openid connect spec: https://rograce.github.io/openid-connect-documentation/explore_auth_code_flow
Basically, if you're not using any adapter, when detecting a request to some protected resource you should:
Perform a redirection to the keycloak login page (keep in mind keycloak uses the REALM entity, so you'll need to specify it too):
HTTP/1.1 302 Found
Location: https://mykeycloakinstance.org/auth/realms/demo/protocol/openid-connect/auth?
response_type=code
&scope=openid
&client_id=s6BhdRkqt3
&state=af0ifjsldkj
&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
You'll need to keep the state value in the client, as it needs to survive the redirection process:
It is recommended that client’s use this parameter to maintain state
between the request and the callback. Typically, Cross-Site Request
Forgery (CSRF, XSRF) mitigation is done by cryptographically binding
the value of this parameter with a browser cookie.
You don't interact with username/passwords. The keycloak authentication page does. Once the login is successful, it will redirect to your page with a valid code:
HTTP/1.1 302 Found
Location: https://client.example.org/cb?
code=SplxlOBeZQQYbYS6WxSbIA
&state=af0ifjsldkj
Here you'll need to either check that the state is the one you originally sent (you may need to track it through web session, using cookies) and also to obtain the token using that code. You do a POST to the authorization endpoint with this code:
POST /auth/realms/demo/protocol/openid-connect/auth HTTP/1.1
Host: https://mykeycloakinstance.org
Content-Type: application/x-www-form-urlencoded
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA
&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
This is the flow in summary, I haven't tested the code myself, so use it as an example and don't hesitate to fix it if you consider ;-)
See also:
What are Keycloak's OAuth2 / OpenID Connect endpoints?
Given that origin, referrer and host headers cannot be spoofed by javascript,
is there a strong reason to use synchronizer token pattern over just using origin, referrer and host headers for CSRF prevention on (POST, DELETE, PUT) requests ?
I would like to aks if anyone been solving Client(browser) side caching of authenticated content?
Task:
cache the CONTENT for non-authenticated users
cache the CONTENT for authenticated users
There is a challenge here as you want to make sure that those calls are not shared between different authenticated users / non-authenticated users.
I read something that http header Vary: Authenticated can be used, but I haven't seen any good example or explanation.