0

I have a running Keycloak instance on auth.example.com and my app is running on example.io.

Brave Shield is blocking CORS cookies, so the cookie is not sent to the /protocol/openid-connect/token/ and therefore I get a 400 result.

What is the best solution do deal with this problem? a) I catch the 400 call and inform the user to allow CORS cookies? b) I host the keycloak instance on the same domain c) I use another approach than cookies for this

C sounds insecure when you store the cookie only in localstore without the option http only B will not work in the future when I have other applications that want to interact with the IAM

so the only option I think is A (which works, but is not userfriendly), isn't it?

sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
cre8
  • 13,012
  • 8
  • 37
  • 61
  • What cookie? Which domain sets it and how? And to which requests do you expect the browser to attach the cookie in question? – jub0bs Feb 24 '23 at 11:48
  • @jub0bs to receive a valid token the client (example.io) will send the refresh token as a cookie to the keycloak endpoint (auth.example.com). But since this one is hosted on another domain, brace shield will block to attach the refresh token to the request – cre8 Feb 24 '23 at 12:20

0 Answers0