We have a client-side widget that is meant to be embedded as an iframe in external sites. Users must authenticate to use the functionality of the widget, which relies on the Javascript adapter to login and refresh the access token (through a sub-iframe).

The default value of the Content Security Policy (CSP) header prevents Keycloak pages from being included in non-origin iframes. So, it prevents our widget from being used in external sites.

Assuming that the client itself is properly configured security-wise, is such a restrictive CSP really required? We are unable to figure out what it is protecting against but guess that there must be a good reason for it.

How are widgets for external sites that authenticate with Keycloak protected?

See Cross Frame Scripting Software Attack | OWASP Foundation Cross Frame Scripting Software Attack | OWASP Foundation for real scenarios

Make sure you have IDP session opened before loading “widget” by the browser so SSO will be aplied. See GitHub - jangaraj/grafana-iframe for example Grafana via iframe.

Be prepare for many (future) problems. Browsers are trying to protect users against dangerous setup, so this may be working now with some brosers, but it may be a problem in the future. I would avoid this kind of security hacking if you need serious implementation.