We’re running Keycloak inside K8S and the actual statefulset instance is only exposing http (and not https). As a result, the DefaultCookieProvider code is flagging the requests as insecure.
This code is only checking the request schema:
this.secure = SecureContextResolver.isSecureContext(session);
And as a result our SameSite value is getting set to Lax instead of None for KC_RESTART
NewCookie.SameSite sameSite = cookieType.getScope().getSameSite();
if (NewCookie.SameSite.NONE.equals(sameSite) && !secure) {
sameSite = NewCookie.SameSite.LAX;
}
Am I missing a flag somewhere to enforce treating requests as secure? It seems like setting --hostname to a secure URI should do this but it does not. This was previously enforceable with a flag on the client which is how we’ve been running up until now.
I was able to workaround by implementing our own CookiePrivider SPI but I don’t really like that solution…