0

I see this question was answered in many forums and answered in many ways - Most of the Answers are we are doing in the same way.

Still, we see that Set-Cookie is NOT SAVING INTO BROWSER - due to this Keycloak is Not able to recognize the Impersonation Login Session.

Here is the Request (done via Angular)

const url = environment.BASE_URL + 'realms/master/custom/realms/REALM_NAME/users/' + userName + '/impersonation';
  const headers = new Headers();
  headers.append('Authorization', 'Bearer ' + user.adminToken);
  headers.append('Access-Control-Allow-Origin', '*')
  const options = new RequestOptions({ method: RequestMethod.Post, headers: headers });
  options.withCredentials = true;
  return this._http
    .post(url, JSON.stringify(representativeDetails), options)
    .map((response: Response) => response.json())
    .catch(this.handleErrorObservable);

Here is the Response sent from our Java application

return Response.ok(result)
.header(HttpHeaders.CONTENT_TYPE, org.keycloak.utils.MediaType.APPLICATION_JSON)
.header("Access-Control-Allow-Origin", origin)
.header("Access-Control-Allow-Methods", CollectionUtil.join(new HashSet(Arrays.asList("GET", "PUT", "POST", "DELETE"))))
.header("Access-Control-Allow-Headers", "Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers, Authorization, Access-Control-Allow-Origin")
.header("Access-Control-Max-Age", 1234)
.header("Access-Control-Allow-Credentials", true)
.header("Access-Control-Expose-Headers", "*")
.build();

Below I copied from my browser where we can see all the Request and Response Headers

Response Headers

access-control-allow-headers: Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers, Authorization, Access-Control-Allow-Origin
access-control-allow-methods: DELETE, POST, GET, PUT
access-control-allow-origin: https://DOMAINNAME.COM
access-control-expose-headers: *
access-control-max-age: 1234
cache-control: NO-CACHE
content-length: 108
content-type: application/json
date: Fri, 28 Jan 2022 20:31:19 GMT
p3p: CP="This is not a P3P policy!"
pragma: NO-CACHE
referrer-policy: no-referrer
set-cookie: KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsInXXXXXXX--------tm_sC4lnc; Version=1; Path=/; SameSite=None; Secure; HttpOnly
set-cookie: KEYCLOAK_IDENTITY_LEGACY=eyJhbGciOiJIUzI1NiIsInXXXXXXX--------tm_sC4lnc; Version=1; Path=/; Secure; HttpOnly
set-cookie: KEYCLOAK_SESSION=REALM_NAME/065ec370-e803-4351-9a06; Version=1; Expires=Mon, 07-Feb-2022 20:31:19 GMT; Max-Age=864000; Path=/; SameSite=None; Secure
set-cookie: KEYCLOAK_SESSION_LEGACY=REALM_NAME/065ec370-e803-4351-9a06; Version=1; Expires=Mon, 07-Feb-2022 20:31:19 GMT; Max-Age=864000; Path=/; Secure
set-cookie: AUTH_SESSION_ID=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/; Secure; HttpOnly
set-cookie: KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/; Secure; HttpOnly
strict-transport-security: max-age=31536000; includeSubDomains
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block

**Request Headers**

:authority: SSO_BASE_URL.COM
:method: POST
:path: /auth/realms/master/custom/realms/REALM_NAME/users/USER_ID/impersonation
:scheme: https
accept: application/json, text/plain, */*
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9,hi;q=0.8,en-IN;q=0.7
access-control-allow-origin: *
authorization: Bearer TOKEN_TOKEN_TOKEN
cache-control: no-cache
content-length: 36
content-type: application/json
cookie: AUTH_SESSION_ID=d1d12d09-3; 
AUTH_SESSION_ID_LEGACY=d1d12d09-3; 
KEYCLOAK_SESSION=master/eda99620-92e2-4; 
KEYCLOAK_SESSION_LEGACY=master/eda99620-92e2-4; 
KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiI------------; KEYCLOAK_IDENTITY_LEGACY=eyJhbGciOiJIUzI1NiI------------;
LanguageDisplayDirection=ltr; 
SplashScreen=false; 
cookiebanner=false; 
origin: https://DOMAINNAME.COM
pragma: no-cache
referer: https://DOMAINNAME.COM/
sec-ch-ua: " Not;A Brand";v="99", "Google Chrome";v="97", "Chromium";v="97"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: same-site
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36

Here is Keycloak Server Source Code and logic to create the Login Cookie

https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/services/resources/admin/UserResource.java

createLoginCookie

https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java

createLoginCookie

Jan Garaj
  • 25,598
  • 3
  • 38
  • 59
Nick
  • 65
  • 1
  • 8
  • https://stackoverflow.com/questions/22432616/why-is-the-browser-not-setting-cookies-after-an-ajax-request-returns/46481100 – Jan Garaj Jan 29 '22 at 13:19
  • Thank you @JanGaraj - After changing the Keycloak Server Source Code (via Customization) by passing the Path = "/" Now, I see Cookies are created but Keycloak is NOT creating the Login Session (Impersonation session). – Nick Jan 29 '22 at 19:33
  • I am not finding any reference to MongoDB Realm (the relational database) in your question. How does that tag tie in? – Jay Jan 29 '22 at 22:15
  • @Jay - I am sorry, I didn't get your question. I didn't tag any MongoDB Realm.. I was looking for Keycloak - Impersonation Logic NOT working though the Cookies are created in Browser. Let me know if you need details. – Nick Jan 31 '22 at 21:27
  • You had tagged the question with `Realm`, which is MongoDB Realm, the relational database. Looks like another user removed that tag so you are all set. In the future, be sure to read the description of the tag before adding so you question is presented to the users that have the most experience with what's being asked – Jay Jan 31 '22 at 22:37

0 Answers0