Is there a way to disable keycloak cookies for brokering authentication (or entirely)?
This thread seems to imply it is possible, but it’s unclear how: Disable Keycloak sessions · Issue #13789 · keycloak/keycloak · GitHub
We are running into an issue on iOS where since our application must be deployed to an iframe (Salesforce), these cookies are considered 3rd party (not Same Site) and therefore blocked by iOS security policies. Keycloak works fine on every platform where 3rd party cookies are allowed, but fails in browsers like Chrome in incognito mode where the same restrictions apply. Since iOS mandates an OS-wide 3rd party cookie ban in iframes, keycloak authentication fails in every browser.
Some detail on our solution components:
- Web application hosted on domain-X embedded in a canvas iframe on domain-Y
- keycloak-js is used with
checkLoginIframeset to false and usingOnLoad: login-required. - Web application contacts keycloak server (#2).
- keycloak-js is used with
- A Keycloak server hosted on a subdomain iam of domain-X
- Brokers authentication with external IdP.
- External IdP hosted on domain-Z
- The keycloak server brokers connections to an external IdP on domain-Z.
This solution works fine on every platform where 3rd party cookies are allowed, but seems to fail when Keycloak cookies are blocked.
So far we have not found a solution that allows Keycloak to perform brokering authentication on iOS in an iframe. We hoped to be able to disable cookies to accomplish this, but we have not found a mechanism to do so. Any guidance would be appreciated.