Description

Since implementing KEYCLOAK-12125, Keycloak adds two cookies with the same value but different SameSite settings when the SameSite=None is set to none.

The was due to old browsers not support SameSite=None, see https://www.chromium.org/updates/same-site/incompatible-clients/ for details and how to detect them.

Since then, browsers supporting this are wide-spread: https://caniuse.com/?search=SameSite%3DNone (92+%).

Adding these extra cookies adds to the HTTP headers sent in a response and request, and a default setup with NGINX which limits responses with 4k headers needs to be tweaked to make it work.

Therefore, I suggest to remove the *_LEGACY cookies. Additionally, we should unify our cookie behaviour so that:

• All cookies are Secure by default.
• All cookies are SameSite=Strict, unless explicitly specified otherwise.

Motivation

• Simplify Keycloak's code structure, and support ever-green browers.
• Simplify setup of Keycloak behind a loadbalancer