Keycloak iframe re-authenticate/You are already logged in

I am embedding keycloak on an iframe to allow users to change their passwords and enable 2FA

Users are already logged in to the main site however when they browse the iframe they get asked to re-authenticate


Once they re-authenticate they get an error message Already logged in

I am not sure if it is related to a cookie conflict or some server configuration ?

Open the browser’s developer tools and check the KC_SESSION cookie while re-authenticating. To work as expected it should be marked as SameSite: None and Secure. If it’s not then the browser is probably blocking it inside the iframe.

What version of Keycloak are you running? I just updated to version 26 and I had to do some custom cookie stuff to get this working when running inside Kubernetes.

We are using Version 20 of keycloack and here is a picture of the cookies i see

When I hover over the Cookies/Domain in left side i get this message “iframe cookies may have been blocked due to third party phaseout”

Yep, if your browser assumes Lax for the KC_SESSION cookie it will be ignored when doing crossorigin requests (like with iframes).

For Keycloak 20 here’s the code in play keycloak/services/src/main/java/org/keycloak/protocol/RestartLoginCookie.java at archive/release/20.0 · keycloak/keycloak · GitHub

There doesn’t appear to be any way to set a SameSite value, this code always passes in null. I think you’d need to either update Keycloak or introduce a proxy layer to modify the request headers.

1 Like

An easier solution is to avoid using iframes. In the past (long ago), they were an option, but nowadays, they cause headaches for many reasons.
Instead, use the traditional redirect.

3 Likes

Absolutely. We are actively fighting the iframe fight and it feels like a losing battle. “We do this not because it is easy, but because we thought it would be easy”

1 Like

The problem is that you’re fighting a battle where you don’t set the rules, and they keep changing over time (SameSite cookie restrictions, third-party cookie changes, etc). As a result, there’s a high chance you’ll end up losing it :neutral_face:

1 Like

I will try to upgrade keycloack as ben suggested as we have several platforms using iframe. if the issue persists I will switch all systems to traditional redirects.
I will keep you posted
Thank you very much.