Stuck
Reputation: 12292
httponly cookies not set
Having this setup:
- auth server (keycloak):
localhost:9990, - backend:
localhost:8080, - frontend (SPA):
localhost:3000
Users can "login" / obtain a token on the SPA by sending their username + password to:
http://localhost:9990/auth/realms/w/protocol/openid-connect/token
Then I call another url on the auth-server that should set the cookies that keycloak needs for SSO/remember-me (it should set some HttpOnly cookies):
.then(t => keycloakInstance.init({
token: t.access_token,
refreshToken: t.refresh_token,
checkLoginIframe: false, // required to init with token
})
.then((authenticated) => {
console.log('auth', authenticated); // <-- it is true
if (authenticated) {
return fetch('http://localhost:9990/auth/realms/w/custom-sso-provider/sso', { headers: {
Authorization: `Bearer ${keycloakInstance.token}` } })
// else
The request itself seems fine, the Set-Cookie occurs as I would expect; this is the response header:
I would now expect them to occur in devtools > Application > cookies, but unfortunately no cookies show up. Why? And what can I do about it?
Upvotes: 0
Views: 1206
Answers (1)
Stuck
Reputation: 12292
I was missing credentials: 'include' for the fetch call:
return fetch('http://localhost:9990/auth/realms/w/custom-sso-provider/sso', { headers: { Authorization: `Bearer ${keycloakInstance.token}` }, credentials: 'include' })
Upvotes: 2
Related Questions
- cookie httponly not sent
- Can we set HttpOnly flag to KEYCLOAK_SESSION cookie?
- Keycloak: Session cookies are missing within the token request with the new Chrome SameSite/Secure cookie enforcement
- Keycloak desktop java adapter deletes KEYCLOAK_IDENTITY cookies
- Insecure HTTP cookies
- Cookies are not sent on HTTP GET
- HttpOnly cookies not sent by request
- javascript sets cookie as httponly
- $_COOKIE[Key] empty in spite of setting it
- Problem with HttpOnly Cookies