Issues and Solutions¶
Unable to Add new Devices or List the Device Types¶
When facing the issue, that when creating a new Device in the IE Management, the following Message appears:
It could be, that the client configuration of the ie-management is not correct.
To check and to fix, please go to the Identity and Access Management Service and select under Clients the ie-management
Go to the Tab Client scope and check if there is a Scope available roles
If this scope is listed, you can safely remove it, by clicking on the three dots and select delete.
SameSite=None setting in Keycloak Cookie¶
Keycloak is using the setting SameSite=None in the cookies (KEYCLOAK_IDENTITY, etc.)
Setting SameSite=Strict would break any application that is not hosted on the same eTLD+1 as Keycloak. Browsers do not send cookies with SameSite=Strict after a redirect to Keycloak if the original site is on a different eTLD+1.
The major risk behind this issue is mitigated by the following:
- Keycloak utilizes other mechanisms for protection against CSRF attacks, built into the OIDC and SAML protocols for application interactions
- Except of legacy all cookies are marked with the HttpOnly and Secure flags.The HttpOnly flag prevents client-side scripts from accessing cookies, reducing the risk of session hijacking. The Secure flag ensures that cookies are only sent over encrypted connections (HTTPS), protecting them from interception
- Addition: In the upcoming Keycloak Version Legacy Cookies will be removed