3rd parties cookie with Keycloak

hello everyone,

Currently, i’m stumbling a problem that deployment of Keycloak is using different domain with application. We implemented the silent renew process in OIDC using library oidc-client-ts which is standard implementation.

However, I also aware that the cookie which comes from Keycloak is considered 3rd party cookie and browser doesn’t allow to read this cookie via iFrame (the silent renew process using iFrame to trigger checking and renew token in the background).

Does anyone have experience on this topic ? We have many cases that applications (from difference domain) are authenticated with the same Keycloak (IDP) (which deployed in different domain).
Problem related to this Linux Firefox + Keycloak 22.0.1 issue(continuation of issue 21307) · Issue #22839 · keycloak/keycloak · GitHub

Thanks a lot,
Tuan Do

@dasniko do you have any experience about this topic ?

The upcoming deprecation of third-party cookies will impact:

• OpenID Connect Front-Channel Logout
• OpenID Connect Session Management
• iframe-based background token renewal
• iframe-based login widget

This means your code will likely break if it relies on iframes.

As a alternative, I recommend reviewing the RFC (draft) OAuth 2.0 for Browser-Based Applications [1], which provides guidelines for architecture patterns in public clients. Alternatively, you always have the option to delegate the authentication and token renewal to a proxy with an OIDC module such as lua-resty-openidc [2].

[1] draft-ietf-oauth-browser-based-apps-19
[2] GitHub - zmartzone/lua-resty-openidc: OpenID Connect Relying Party and OAuth 2.0 Resource Server implementation in Lua for NGINX / OpenResty