Search code examples
cookieskeycloaksetcookie

change Keycloak cookie domain to support the parent domain

let's say we have a domain on www.example.com and the auth server is on auth.example.com

After login, it sets some cookies with these values :

  • Domain: auth.example.com
  • Path: /realms/my-realm/

I need to access cookies in www.example.com as well. Any idea how to ask Keycloak to support parent domain ? (have a feeling Path is the problem here but couldn't find a way to change it from KC config)

Solution

  • Changing the Keycloak cookie domain or path is not supported. The keycloak cookie will always be scoped to the realms domain & path.

    For some context:

    That cookie must only be used by the Keycloak Realm.
    Your app at www.example.com must set its own cookie.

    When a user attempts to login:

    1. Your app will send that user to the appropriate keycloak realm.

    2. Once the user logs in (i.e. successfully authenticates) at the keycloak realm

      1. Keycloak will set a cookie to remember this.
        (You can configure cookie settings such as the cookie expiration within Keycloak.)
      2. The user will be redirected back to your app with some information in the URL.
        (The URL the user must be redirected to is also configured within Keycloak.)

    3. Your app will use this information in the URL and use it to verify if the authentication was indeed successful.

    4. After verification, your app will now set a cookie.

    Your application will now use the cookie set by your application for authentication. Ofcourse, you can use a JWT token, etc. You are not limited to cookies. The point here is, you use your cookie, the keycloak realm uses its cookie.

    I basically just described the OpenID Connect Authorization Code Flow above. I recommend reading about it. Most languages have an implementation you should be able to use with very little code.