Integrate login form within Iframe on an existing Website

Hello there,

At work, I have to implement a dirty way to login because of a Sales Team error :sweat_smile: So there is no way that I could change how to log in except explain here.

We have to build multiple applications all connected together through Keycloak OpenID connect. The applications are built using Symfony 6.1 and PHP 8.1 and we are not using Single Page Architecture. So we plan to use OpenID to connect to Keycloak (We already have another application connected to Keycloak using this). We are using EC2 servers.
Example of URL:
Keycloak URL: https://
Local App: http:// myapp.localhost

Actual value of Security Content Policy on Keycloak admin: frame-src ‘self’ http:// mayapp.localhost localhost; frame-ancestors ‘self’ http:// mayapp.localhost localhost; object-src ‘none’;

The client does not want to be redirected to the Keycloak side. He would like the fields to appear on the login page of each application. So we try to make the login system work within an Iframe.

After a lot of research, I finally find a way to display correctly the form using Realm Settings > Security Defense > Content-Security-Policy. But now, when I log in as my user successfully, I’ve got the error message: Cookie not found. Please make sure cookies are enabled in your browser.

I did a lot of research but was unable to solve the problem. I tried to look at CORS and set Allow Origin. I try to test using Keycloak.js (but seems to be built for SPA)

Is there a way to achieve that?
If yes, could you please guide me a little (as I’m a noob on server config) and by telling me which configuration on which side I should update.


No one can help me with that error? :confused:

I think no one will help you to realize a broken way to login your users. Login is too security relevant to do it in a dirty way.

So the only hint will be: Use standards with OIDC redirects, and update your Sales Team.

1 Like

I totally realize that is a broken way to do it and how stupid it is! But we sign a contract for that point and we could lost lot of money if we could not do it. So If you know how to do it, I please you to help me but if you don’t, that kind of answer is helpless.