Search code examples
keycloak

Keycloak Session Related Data - Storage Area

I am working with Keycloak and have some pertinent questions.

Upon successful login, where are the session related data (cookies or other) stored - localStorage or sessionStorage? And what are the cookie names (keys)? And what if user has turned off cookies?

Thanks

Solution

  • Keycloak typically uses cookies to manage sessions and store tokens on the client side. Those cookies are mostly "secure HTTP-only domain-bounded" cookies.

    Keycloak can "potentially" work cookieless but its not recommended nor officially supported (to my knowledge). And honestly I would not worry about it as cookies and tokens can be made secure enough in all scenarios as soon as best practices are implemented. Instead, one important consideration would rather be about the choice of using a Public client (i.e. for a public Single-Page Application) which is less secure than using Confidential clients with a traditional Web app. -> Less secure but not insecure.

    Regarding your questions:

    Cookie Storage (and names)

    Keycloak stores session-related information in cookies. Specifically, the KEYCLOAK_SESSION cookie is used to store the session state. The KEYCLOAK_IDENTITY cookie may also be used to store identity-related information.

    Session Storage

    Keycloak doesn't typically rely on localStorage or sessionStorage for storing session-related data on the client side. Instead, it uses HTTP(-only) cookies.

    Cookieless Operation

    If the user has cookies disabled, maybe Keycloak could still be able to maintain sessions using URL parameters (kc-restart in URL..) but I didn't find any official documentation about it.. I don't think there's an off-the-shelf solution.

    Authorization Code Flow and Public Clients

    In the Authorization Code Flow, especially for public clients (like single-page applications running in a web browser), tokens are typically returned to the browser, and they should be stored securely by the client application. They are often stored in memory, localStorage/sessionStorage or other secure storage mechanisms provided by the browser or the application framework. Another option is to store tokens in cookies (with proper XSRF protection). Have a look here: https://blog.angular-university.io/angular-jwt-authentication/

    IF you are using Angular you could have a look at ngx-webstorage or angular2-jwt. In addition to the secure storage, it's crucial to follow best practices to prevent token leakage or unauthorized access (expiry time, scope, audience...).