Application and Identity manger on different domains

[eugeniosegala]

Describe the bug

I'm experiencing a strange behaviour in my Node JS application using openid-client.

In summary, my application is on my-domain.co.uk while the identity manager (in my case Keycloak) is on my-identity.co.uk.

After logging in, I receive this error inside the auth callback:

Error: did not find expected authorization request details in session, req.session["oidc:my-identity.co.uk"] is undefined

After several tests, I have discovered that the solution is to change how my express session cookie is saved from:

expressApp.use(
      session({
        cookie: {
          sameSite: true,
        },
        // more code...
      })
    );

to

expressApp.use(
      session({
        cookie: {
          sameSite: false,
        },
        // more code...
      })
    );

As you can see from above, I only flipped sameSite from true to false.

A similar problem was reported here: https://stackoverflow.com/questions/63259184/node-with-express-session-issue

My solution seemed to have worked however, since my cookie is now sameSite: false, is being sent to also other domains, causing potential security concerns.

Is there a way to control this behaviour only for requests which involves Keycloak, given that it's not unusual to have application and Identity manger on different domains?

Thanks!

[panva]

Well, it's your session mechanism, your rules and your means of managing its configuration.

[eugeniosegala]

Hey @panva,

I've noticed that the openid-client library appears to use domain names as keys for storing information in the session, as indicated by req.session["oidc:my-identity.co.uk"] being undefined. This has led to an issue where I needed to change the global sameSite property of the session cookie to false to facilitate communication with Keycloak, which is hosted on a different domain.

Given the security implications of setting sameSite to false for all cookies, I'm looking for advice on how to address this specific behavior. Is there a way to configure openid-client or the session management in such a way that it doesn't require modifying the global sameSite property? Alternatively, are there any recommended practices or configurations that would allow maintaining higher security standards while still supporting the necessary cross-domain authentication flow with Keycloak/openid-client?

I personally did not experience this behaviour with keycloak-nodejs-connect (the flow was similar).

Thanks for your help!

[eugeniosegala]

@panva I was wondering if you had a chance to review my above comment? Thanks!

[big-kahuna-burger]

A similar problem was reported here: https://stackoverflow.com/questions/63259184/node-with-express-session-issue

This link has answer for you.
Just apply it.

Which is related to how express-session works. Problem is not related to this pkg, since this strategy is not managing req.session in your app.