search

panva / openid-client

OAuth 2 / OpenID Connect Client API for JavaScript Runtimes
MIT License
1.83k stars 392 forks source link

Application and Identity manger on different domains #663

Closed eugeniosegala closed 8 months ago

eugeniosegala commented 8 months ago

Describe the bug

I'm experiencing a strange behaviour in my Node JS application using openid-client.

In summary, my application is on my-domain.co.uk while the identity manager (in my case Keycloak) is on my-identity.co.uk.

After logging in, I receive this error inside the auth callback:

Error: did not find expected authorization request details in session, req.session["oidc:my-identity.co.uk"] is undefined

After several tests, I have discovered that the solution is to change how my express session cookie is saved from:

expressApp.use(
      session({
        cookie: {
          sameSite: true,
        },
        // more code...
      })
    );

to

expressApp.use(
      session({
        cookie: {
          sameSite: false,
        },
        // more code...
      })
    );

As you can see from above, I only flipped sameSite from true to false.

A similar problem was reported here: https://stackoverflow.com/questions/63259184/node-with-express-session-issue

My solution seemed to have worked however, since my cookie is now sameSite: false, is being sent to also other domains, causing potential security concerns .

Is there a way to control this behaviour only for requests which involves Keycloak, given that it's not unusual to have application and Identity manger on different domains?

Thanks!

panva commented 8 months ago

Well, it's your session mechanism, your rules and your means of managing its configuration.