Keycloak cookies : KEYCLOAK_SESSION,Oauth_token_request_state, KEYCLOAK_IDENTITY

siddhartha chakraborty picture siddhartha chakraborty · May 29, 2018 · Viewed 13.9k times · Source

Can someone please explain the cookies set by Keycloak: KEYCLOAK_SESSION,Oauth_token_request_state, KEYCLOAK_IDENTITY.

What is the relevance of each cookies?

Answer

antoine picture antoine · Jun 13, 2018

They are cookies for internal use of Keycloak.

KEYCLOAK_IDENTITY contains a token (JWT) with the user ids. You can view its content using jwt.io (for example). This cookie lives with your browser session and can also be refreshed with SSO. (for example, if you change some of your personal data in the "Manage my account")

KEYCLOAK_SESSION your session id associated to the concerned realm.

Oauth_token_request_state is part of the Oauth spec in order to avoid hacking of the redirect link after login