My solution seemed to have worked however, since my cookie is now sameSite: false, is being sent to also other domains, causing potential security concerns .
Is there a way to control this behaviour only for requests which involves Keycloak, given that it's not unusual to have application and Identity manger on different domains?
Describe the bug
I'm experiencing a strange behaviour in my Node JS application using
openid-client
.In summary, my application is on
my-domain.co.uk
while the identity manager (in my case Keycloak) is onmy-identity.co.uk
.After logging in, I receive this error inside the auth callback:
After several tests, I have discovered that the solution is to change how my express session cookie is saved from:
to
As you can see from above, I only flipped
sameSite
fromtrue
tofalse
.A similar problem was reported here: https://stackoverflow.com/questions/63259184/node-with-express-session-issue
My solution seemed to have worked however, since my cookie is now
sameSite: false
, is being sent to also other domains, causing potential security concerns .Is there a way to control this behaviour only for requests which involves Keycloak, given that it's not unusual to have application and Identity manger on different domains?
Thanks!