Keycloak Cookies Issue in Chrome Incognito Mode

I need your help with the following issue:

  1. I open Google Chrom in Incognito mode.
  2. I open my web app and click on Login.
  3. The web app navigates to the Keycloak client.
  4. Then I enter my login credentials and click Login.
  5. The Keycloak redirects me to my web app.

In my app the following behavior happens:

  1. My app logs out automatically.
  2. When I go to the client I found that it logged out automatically too.
  3. I also found that chrome blocks the following cookies on my web app: AUTH_SESSION_ID, AUTH_SESSION_ID_LEGACY, and KC_RESTART.

Another note when I open the Keycloak client URL directly and login it doesn’t logout automatically. It only happens when I do the login scenario from my app as described above.

Could anyone tell me the possible reasons that may cause this issue?

It can be:

  • old Keycloak - problem with Chrome samesite cookie config
  • wild app implementation - e.g. iframed app/auth/… CORS issues, …
  • wild infrastructure between browser and Keycloak - reverse proxy, corporate web proxy, …
  • browser plugins
  • too much data in the cookie value (there is a browser limit)

Browser console is your friend. You may find reason why cookie is blocked, what kind of cookie is trying to create, …

It is a lottery to say a real reason without reproducible example.

Thanks, @jangaraj for your reply. I discovered the main reason for this problem, but it will be nice if you confirmed it’s an issue.

My web app is hosted at xyz.domain1.com and Keycloak is hosted at abc.domain2.com. So the problem is that my web app treats Keycloak cookies as Third-Party Cookies. So, some of them are being blocked and cause some problems especially in the private mode of the browsers.

FYI - I don’t experience the same in incognito Chrome. For protocol – is it SAML or OIDC? Which oidc/saml client are you using on the web app?

That sounds like wild app implementation - e.g. iframed app/auth/… CORS issues, … or some Chrome plugin problem. I’m also not able to replicate issue with Keycloak 11 and latest Chrome on Windows.

Thanks, @jangaraj, and @vonfoovonbar for your replies.

I’m using Keycloak 12.0.3 with OIDC. The front-end is Angular 10 that uses angular-oauth2-oidc package.

The problem happened because of the following reasons:

  1. My front-end has a callback that is being executed when the session state changes.
  2. When I open the front-end in the Incognito mode chrome blocks some cookies.
  3. When chrome blocks the cookies the session keeps changing for some reason which is related to blocking the cookies.
  4. The front-end then fires the callback. The callback had a code that performs a logout function hence the login session terminates immediately.
  5. The cookies problem and the session change were because of deploying my front-end on a different domain. So, my front-end was at xyz.domain1.com and Keycloak was at abc.domain2.com. My app considered Keycloak cookies as Third-party ones.
  6. When I changed my front-end domain to be xyz.domain2.com the app worked perfectly and the cookies weren’t blocked. Also, the silent refresh iframe worked perfectly.

The only thing I couldn’t I understand why chrome blocks some Keycloak cookies. I think it’s something related to the SameSite and HttpOnly in the headers. But I’m already using Keycloak 12.0.3 which means that those issues have been already resolved!

Silent refresh in the iframe. That sounds like an old school implicit flow. Any iframe is a problem. Keycloak in the iframe is third party content/cookie. Chrome is blocking third party cookie by default in the incognito mode. But I will bet you will have this problem also in standard mode soon Google Effort to Kill Third-Party Cookies in Chrome Rolls Out in April

That mentioned lib has not been very mature. It didn’t support PKCE, before so I guess you are using implicit flow only because it’s default option. So code it and use golden rule for SPA = PKCE flow.

I would use GitHub - damienbod/angular-auth-oidc-client: npm package for OpenID Connect, OAuth Code Flow with PKCE, Refresh tokens, Implicit Flow