Skip to content

set Secure flag on keycloak login cookies behind a TLS proxy#69594

Merged
vincbeck merged 1 commit into
apache:mainfrom
Samin061:keycloak-login-cookie-secure
Jul 8, 2026
Merged

set Secure flag on keycloak login cookies behind a TLS proxy#69594
vincbeck merged 1 commit into
apache:mainfrom
Samin061:keycloak-login-cookie-secure

Conversation

@Samin061

@Samin061 Samin061 commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

The keycloak auth manager sets the session JWT, the OIDC id token, and the OAuth state cookie during login, and it decides the cookie Secure flag from secure = bool(conf.get("api", "ssl_cert")). That drops the request.base_url.scheme == "https" term the rest of the codebase uses for the same decision, including logout_callback a few lines down, the core auth manager login/logout, and the refresh-token middleware. When the api-server sits behind a proxy that terminates TLS, ssl_cert is normally unset in Airflow, so with the current check these auth cookies go out without Secure even though the browser reached the server over HTTPS. A browser will then also attach them to a plaintext http:// request to the same host, which puts the session token within reach of a network or SSL-stripping attacker. I noticed it while comparing the login and logout handlers in this file, since logout already guards on the request scheme. This lines both login routes up with that canonical form so the cookies carry Secure behind a proxy, and nothing changes when Airflow terminates TLS itself or serves plain HTTP.

@vincbeck vincbeck merged commit a6b9b08 into apache:main Jul 8, 2026
79 checks passed
@potiuk potiuk added the ready for maintainer review Set after triaging when all criteria pass. label Jul 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants