If I remove the JSESSIONID cookie from browser why does BFF generate a new one for me? Leaving me authenticated?

[sisco70]

Hi,

I have had this doubt for some time, but until now I had overlooked it...

Please, for a reference to my configuration see: #260

If I remove the JSESSIONID cookie from browser why does BFF generate a new one for me? Leaving me authenticated?
The user session on Keycloak remains intact, the BFF generates a new java session, but the user remains authenticated

To be exact it is redirected to this url:
https:///?error=[authorization_request_not_found]%20

But I am actually authenticated, I can view the pages.

I expected to be redirected to the Keycloak login page..

Thank you in advance

[ch4mpy]

I don't know why the user is redirected to https:///?error=[authorization_request_not_found]%20. I would need the complete HTTP traces in the browser to understand why and which actor redirects there (is it Keycloak, the BFF, the frontend?).

The most probable reason why you stay logged in is that you delete only one of the two session cookies you have: there is one from the BFF, and one from Keycloak. If you delete the cookie from the BFF, the next request from the browser to the BFF can't be bound to a valid session. With spring-addons, the default InvalidSessionStrategy behavior is to create a new session and to redirect to the same URL for a retry with this new session (valid but unauthorized). If the BFF is configured to redirect this unauthorized retry request to the authorization endpoint, then the user follows a chain of redirections: BFF authorization endpoint -> Keycloak authorization endpoint -> BFF code endpoint -> configured post-login URI. If the session cookie from Keycloak is still bound to a valid session, Keycloak does not ask for credentials and redirects silently to the OAuth2 client with an authorization code. The BFF exchanges this code for tokens and sets the new session with "authorized" status (the user is logged in to the BFF).

As a side note, you may find some of the subjects I can teach useful (and inexpensive, especially if you group with a few other trainees as the price is per group, not per trainee)

[sisco70]

I am authenticated and the browser show the successful login url:
https://biv.lan/BIVDT/BIV_apri/

realm: test
client: bff-client
client-uri: https://biv.lan/bff
keycloak-uri: https://biv.lan/auth

Clear JSESSIONID and XSRF-TOKEN from browser and request same url:

- 302   https://biv.lan/BIVDT/BIV_apri/
- 302   https://biv.lan/bff/oauth2/authorization/bff-client?post_login_success_uri=%2FBIVDT%2FBIV_apri%2F
- 302   https://biv.lan/auth/realms/test/protocol/openid-connect/auth?response_type=code&client_id=bff-client&scope=openid%20profile%20roles&state=8w8jvDxkhZ3p2-bU6G62WJ3ZNdKDCvGiT5_wUf_nljA%3D&redirect_uri=https://biv.lan/bff/login/oauth2/code/bff-client&nonce=jahz-rd2WWS0JpFxM6-U9ADf0ih_AOe3LasosveVK1Y
- 302   https://biv.lan/bff/login/oauth2/code/bff-client?state=8w8jvDxkhZ3p2-bU6G62WJ3ZNdKDCvGiT5_wUf_nljA%3D&session_state=05be363f-835f-48d2-949e-ce772d68b4c5&iss=https%3A%2F%2Fbiv.lan%2Fauth%2Frealms%2Ftest&code=ed1b36c7-2ef4-4936-9b1c-a4aa649dc2ec.05be363f-835f-48d2-949e-ce772d68b4c5.7931e1a2-0986-454c-997b-a227e2bba665
- 400   https://biv.lan/?error=[authorization_request_not_found]%20

The complete sequence of request and responses:

GET /BIVDT/BIV_apri/ HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7
Connection: keep-alive
Host: biv.lan
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"


HTTP/1.1 302
Server: nginx/1.26.2
Date: Sun, 13 Apr 2025 09:47:53 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: XSRF-TOKEN=5b96849d-610a-4b01-bdff-16733bc30eab; Path=/; Secure
Set-Cookie: JSESSIONID=37950FAB6E527702D8BA586194A7AFE9; Path=/; Secure; HttpOnly
WWW-Authenticate: OAuth realm=https://biv.lan/bff/oauth2/authorization/bff-client?post_login_success_uri=%2FBIVDT%2FBIV_apri%2F
Location: https://biv.lan/bff/oauth2/authorization/bff-client?post_login_success_uri=%2FBIVDT%2FBIV_apri%2F
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: DENY
Access-Control-Allow-Methods: GET, POST, OPTIONS, DELETE, PUT
Access-Control-Allow-Credentials: true
Content-Security-Policy: frame-ancestors 'self'


GET /bff/oauth2/authorization/bff-client?post_login_success_uri=%2FBIVDT%2FBIV_apri%2F HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7
Connection: keep-alive
Cookie: XSRF-TOKEN=5b96849d-610a-4b01-bdff-16733bc30eab; JSESSIONID=37950FAB6E527702D8BA586194A7AFE9
Host: biv.lan
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"


HTTP/1.1 302
Server: nginx/1.26.2
Date: Sun, 13 Apr 2025 09:47:53 GMT
Content-Length: 0
Connection: keep-alive
Location: https://biv.lan/auth/realms/test/protocol/openid-connect/auth?response_type=code&client_id=bff-client&scope=openid%20profile%20roles&state=8w8jvDxkhZ3p2-bU6G62WJ3ZNdKDCvGiT5_wUf_nljA%3D&redirect_uri=https://biv.lan/bff/login/oauth2/code/bff-client&nonce=jahz-rd2WWS0JpFxM6-U9ADf0ih_AOe3LasosveVK1Y
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: DENY


GET /auth/realms/test/protocol/openid-connect/auth?response_type=code&client_id=bff-client&scope=openid%20profile%20roles&state=8w8jvDxkhZ3p2-bU6G62WJ3ZNdKDCvGiT5_wUf_nljA%3D&redirect_uri=https://biv.lan/bff/login/oauth2/code/bff-client&nonce=jahz-rd2WWS0JpFxM6-U9ADf0ih_AOe3LasosveVK1Y HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7
Connection: keep-alive
Cookie: AUTH_SESSION_ID=05be363f-835f-48d2-949e-ce772d68b4c5.auth-31737; KEYCLOAK_IDENTITY=eyJhbGciOiJIUzUxMiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI2MjJmMDg1Ni1lNGFiLTQ1NDctYjc2My1mOTU2OWJlOTE4M2IifQ.eyJleHAiOjE3NDQ1NzM1MzEsImlhdCI6MTc0NDUzNzUzMSwianRpIjoiYzFkZDUwZmMtMDllNC00YmQzLWI0YWMtYWY2NmUzODcwZDJkIiwiaXNzIjoiaHR0cHM6Ly9iaXYubGFuL2F1dGgvcmVhbG1zL3Rlc3QiLCJzdWIiOiJhMzk3ZDlmMi1lNWE3LTRjZjEtYTc4Yi1jNmVjZDI4MzJlNzQiLCJ0eXAiOiJTZXJpYWxpemVkLUlEIiwic2lkIjoiMDViZTM2M2YtODM1Zi00OGQyLTk0OWUtY2U3NzJkNjhiNGM1Iiwic3RhdGVfY2hlY2tlciI6Ii1mV2tMTnYwWG9FM2g3b0pVdUZ0LUp5Q0RsZExIck5PY0dodm5KNl9FZ3MifQ.S8pOELPA5sTrzBHbMzk2lcbx7VgUp1AyeCaCDh7UJaXBUqtND9uGW2EQsendbd0q2hAj82U9q67N08xjE1THVQ; KEYCLOAK_SESSION="test/a397d9f2-e5a7-4cf1-a78b-c6ecd2832e74/05be363f-835f-48d2-949e-ce772d68b4c5"; XSRF-TOKEN=5b96849d-610a-4b01-bdff-16733bc30eab; JSESSIONID=672A23907236D90F0AF722030C3771D6
Host: biv.lan
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"


HTTP/1.1 302 Found
Server: nginx/1.26.2
Date: Sun, 13 Apr 2025 09:47:53 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: AUTH_SESSION_ID=05be363f-835f-48d2-949e-ce772d68b4c5.auth-31737;Version=1;Path=/auth/realms/test/;Secure;HttpOnly;SameSite=None
Cache-Control: no-store, must-revalidate, max-age=0
Set-Cookie: KC_RESTART=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..gN3-YDKxWWrDEIvIJ3Euhw.BSZcLnh-IVnFpIfKO7oi48imWktv2_mbs1vGQRb0P6QudgXthTe_MAAqlTNA0ZVOHG6BBmppfJZsfABhBj9iXmN-a7VARI1gc91DB328_gv-Itr0_s809FowhTAqXeFzV9QkmTRFm0TIIsPoR7kLTI25RcuD0n1oRKD8pRlcGEU--K8Ffkvw91ovKV0_iOC4AwENm5XlYMXVKjAYEEmcfsDobre-Q3CevNgQndBdRvoOOC4Mi0DoK5YAW3ats6yg4ZCw4ntMqeTRxTc3SfEiHaD1DEHTwYNIFV_ul--24N40wApBM1Vsryz7DBrWfYoJkN7tFMye35lnp7kCcqI87KP4aBVnrYPRbtvy14r4mc7qdkSgImlQudgxieuVChBU0LCKDPf5cmPYMociUuUlfvju1chkCa1nk_RMM0eVN9yhlTqlRnIKTHD5TJFQUCqzbCOgAgY19Rfc9OqzTGbGhNpTipEgTND8WCwLPay31jm6wruOk8miPksPGMbs-a2LfcTB_uH-_3ltYClbCI1jUQm3l2gYNhKbjyXdaGiraK3ZouibkcPr1F2rB0kOut1o6pkVnZ0S6Ay5uxxBYJAmcaNU0y-4JIwJMov89cUb08T8sOhiUxFHLYwcbp-dshT2CipnXE4aYt10Y1sgHR7jfUWwAiZYkr9h9rX1rapQyIUbNeywdNvy2NToDNCVId_FgU5BrzVijPJyxxsQSaakZ39BrATlbbRe9XIww02ShM3t2pXV0wsLYw7eqBNPNh7ddDnGTqU38xz1HXZDvna8H5UDyzl8Hw-8QKU6F_gLRhZHBhTb6rVPfjH3dV7Aqs7jsp5LW9HTXk9zovID9hxqnlyNPxz81R6ABPZYKQOUl9iqBwl7oGNM7ijiLgNGfvIBVgFu5xlp33ycNi-dXHSt6Gy-WBNfq9PJeSvHO3KdYbHUlSCtQkLFoCNSYEVWMxcX-BI622Y5cOfu0PysZgBX2w.RUk0kE5zgQoFk-7Vgokr4Q;Version=1;Path=/auth/realms/test/;Secure;HttpOnly;SameSite=None
Set-Cookie: KEYCLOAK_IDENTITY=eyJhbGciOiJIUzUxMiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI2MjJmMDg1Ni1lNGFiLTQ1NDctYjc2My1mOTU2OWJlOTE4M2IifQ.eyJleHAiOjE3NDQ1NzM2NzMsImlhdCI6MTc0NDUzNzY3MywianRpIjoiNDBmNzNmYmMtZTVhMi00NzY2LTgyNGItMmRlNDhmZWZjYThlIiwiaXNzIjoiaHR0cHM6Ly9iaXYubGFuL2F1dGgvcmVhbG1zL3Rlc3QiLCJzdWIiOiJhMzk3ZDlmMi1lNWE3LTRjZjEtYTc4Yi1jNmVjZDI4MzJlNzQiLCJ0eXAiOiJTZXJpYWxpemVkLUlEIiwic2lkIjoiMDViZTM2M2YtODM1Zi00OGQyLTk0OWUtY2U3NzJkNjhiNGM1Iiwic3RhdGVfY2hlY2tlciI6Ii1mV2tMTnYwWG9FM2g3b0pVdUZ0LUp5Q0RsZExIck5PY0dodm5KNl9FZ3MifQ.3L3EvOD1qyPoXdcrjm-nHMYTmOcSF22jHui1sq2_UV87yxoqcqioYxvsd-_-61R-OJPEbMnOKTeuBmgy41Q5fQ;Version=1;Path=/auth/realms/test/;Secure;HttpOnly;SameSite=None
Set-Cookie: KEYCLOAK_SESSION="test/a397d9f2-e5a7-4cf1-a78b-c6ecd2832e74/05be363f-835f-48d2-949e-ce772d68b4c5";Version=1;Path=/auth/realms/test/;Max-Age=36000;Secure;SameSite=None
Location: https://biv.lan/bff/login/oauth2/code/bff-client?state=8w8jvDxkhZ3p2-bU6G62WJ3ZNdKDCvGiT5_wUf_nljA%3D&session_state=05be363f-835f-48d2-949e-ce772d68b4c5&iss=https%3A%2F%2Fbiv.lan%2Fauth%2Frealms%2Ftest&code=ed1b36c7-2ef4-4936-9b1c-a4aa649dc2ec.05be363f-835f-48d2-949e-ce772d68b4c5.7931e1a2-0986-454c-997b-a227e2bba665
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block


GET /bff/login/oauth2/code/bff-client?state=8w8jvDxkhZ3p2-bU6G62WJ3ZNdKDCvGiT5_wUf_nljA%3D&session_state=05be363f-835f-48d2-949e-ce772d68b4c5&iss=https%3A%2F%2Fbiv.lan%2Fauth%2Frealms%2Ftest&code=ed1b36c7-2ef4-4936-9b1c-a4aa649dc2ec.05be363f-835f-48d2-949e-ce772d68b4c5.7931e1a2-0986-454c-997b-a227e2bba665 HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7
Connection: keep-alive
Cookie: XSRF-TOKEN=5b96849d-610a-4b01-bdff-16733bc30eab; JSESSIONID=672A23907236D90F0AF722030C3771D6
Host: biv.lan
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"


HTTP/1.1 302
Server: nginx/1.26.2
Date: Sun, 13 Apr 2025 09:47:53 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Location: /?error=[authorization_request_not_found]%20
error: [authorization_request_not_found]
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: DENY


GET /?error=[authorization_request_not_found]%20 HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7
Connection: keep-alive
Cookie: XSRF-TOKEN=5b96849d-610a-4b01-bdff-16733bc30eab; JSESSIONID=672A23907236D90F0AF722030C3771D6
Host: biv.lan
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"

HTTP/1.1 400
Server: nginx/1.26.2
Date: Sun, 13 Apr 2025 09:47:53 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 435
Connection: keep-alive
Content-Language: en

Thank you for your expertise and support, I would definitely be interested, but my English (nor French) is not so good to take a course with complex topics like Spring Security.

If you organized courses on platforms like UDemy, Coursera or similar, I would definitely sign up.

[ch4mpy]

Thanks for the detailed traces.

I am surprised that the response to the 1st request (the one sent to https://biv.lan/BIVDT/BIV_apri/) sets XSRF-TOKEN and JSESSIONID cookies. This request is sent to the reverse-proxy, not to the BFF, and only the BFF should be stateful (maintain sessions and need protection against CSRF), meaning that only the BFF should set such cookies in its responses.

So, you should fix that: use something like Nginx as a reverse proxy like I do in the tutorials or, if using a Java reverse-proxy (Spring Cloud Gateway?), ensure it is configured as stateless (no session and no protection against CSRF). Only the BFF must be stateful and expose a CSRF cookie.

In the case where you use the same Spring Cloud Gateway instance as a reverse proxy and an OAuth2 BFF, use different security filter-chains:

• a stateful one with oauth2Login, sessions and cookie-based protection against CSRF for the /bff/** routes plus those used during login & logout
• a stateless one for all other routes (actuator, /auth/**, /BIVDT/**, ...)

However, this highlights that spring-addons-starter-oidc could better handle the cookies set by the filter chain with oauth2Login it auto-configures: it could be worth using the client-uri to set default domain and path, and to expose properties to override that. Keeping the default / for the path as currently done is not the best option...

[ch4mpy]

About session and CSRF cookies conflicts, see this new entry in the README and the ability to configure the CSRF cookie since 8.1.12 (the session cookie being configurable with "standard" boot properties).