Open the browser’s developer tools and check the KC_SESSION cookie while re-authenticating. To work as expected it should be marked as SameSite: None and Secure. If it’s not then the browser is probably blocking it inside the iframe.
What version of Keycloak are you running? I just updated to version 26 and I had to do some custom cookie stuff to get this working when running inside Kubernetes.
There doesn’t appear to be any way to set a SameSite value, this code always passes in null. I think you’d need to either update Keycloak or introduce a proxy layer to modify the request headers.
An easier solution is to avoid using iframes. In the past (long ago), they were an option, but nowadays, they cause headaches for many reasons.
Instead, use the traditional redirect.
Absolutely. We are actively fighting the iframe fight and it feels like a losing battle. “We do this not because it is easy, but because we thought it would be easy”
The problem is that you’re fighting a battle where you don’t set the rules, and they keep changing over time (SameSite cookie restrictions, third-party cookie changes, etc). As a result, there’s a high chance you’ll end up losing it
I will try to upgrade keycloack as ben suggested as we have several platforms using iframe. if the issue persists I will switch all systems to traditional redirects.
I will keep you posted
Thank you very much.