23

Can someone please explain the cookies set by Keycloak: KEYCLOAK_SESSION,Oauth_token_request_state, KEYCLOAK_IDENTITY.

What is the relevance of each cookies?

siddhartha chakraborty
  • 425
  • 1
  • 5
  • 12

1 Answers1

33

They are cookies for internal use of Keycloak.

KEYCLOAK_IDENTITY contains a token (JWT) with the user ids. You can view its content using jwt.io (for example). This cookie lives with your browser session and can also be refreshed with SSO. (for example, if you change some of your personal data in the "Manage my account")

KEYCLOAK_SESSION your session id associated to the concerned realm.

Oauth_token_request_state is part of the Oauth spec in order to avoid hacking of the redirect link after login

Yuri
  • 4,254
  • 1
  • 29
  • 46
antoine
  • 618
  • 7
  • 16
  • 1
    Why these cookies are not setting a secure flag? Any idea? – SANDEEP MACHIRAJU Aug 21 '20 at 16:32
  • 3
    Does anybody what KEYCLOAK_IDENTITY_LEGACY means? – noircc Sep 04 '20 at 12:41
  • Keycloak has evolved a lot since 2018, cookie management has changed, you might find fresher answer in the official documentation than this post : https://www.keycloak.org/docs/latest/ – antoine Sep 08 '20 at 14:43
  • 1
    Is anyone tell me, How will I get access token from KEYCLOAK_IDENTITY? To connect with our backend service. – Mohankumar D Nov 09 '20 at 07:22
  • Hello @MohankumarD, I think you should start a new question to get better answer, this thread is over. Please don't forget to add more details in your question such as the Keycloak version and how you are using it – antoine Nov 09 '20 at 17:52
  • 4
    The LEGACY cookies were to deal with the SameSite cookie changes in Chrome and legacy issues with other browsers. They are effectively the same thing as the non LEGACY versions but with different flags to handle the legacy browsers. – Chris D Jun 08 '21 at 14:15
  • I'm having issues with the size of these. Is it possible to remove these LEGACY cookies in any way? – eja Jun 07 '22 at 06:58