Saturday, November 11, 2017

Keycloak, cookies and principal

When you access a secured webapp, the first cookie to be created is a JSESSIONID

/pvkeycloakdemo is my webapp root context

When you access a protected resource, you get redirected to keycloak authentication server, and another 2 cookies appear: a OAuth_Token_Request_State (Path=/pvkeycloakdemo) and a AUTH_SESSION_ID (Path=/auth/realms/demo)

After authenticating in Keycloak, I get a KC_RESTART, a KEYCLOAK_IDENTITY and a KEYCLOAK_SESSION (Path=/auth/realms/demo)

KEYCLOAK_SESSION is a special one: it's the only one with a 12 hour expiration time (all others expire at end of session) and the value specifies the realm name : demo/34f600e7-bfd6-475c-9596-72491b9455fa/fa9c5c6b-5e70-43ce-aeb8-34b2188e3c7f (demo in this case)

If you choose the option "remember me", you get also a cookie KEYCLOAK_REMEMBER_ME

When you do a request.getPrincipal(), the is a org.keycloak.KeycloakPrincipal, and the principal Name is the ID that you see in the Keycloak console, not the Name:

No comments: