We use keycloak as OIDC Identity provider for several functional applications.
The functional applications use the login-status-iframe for token refresh.
Within the keycloak events we see, that a token refresh is done every 3 seconds by this iframe even we configured the refresh should be done every four minutes. We have the behaviour since few month, and did not see it before.
We are running with keycloak 20.
We see, that the cookie KEYCLOAK_SESSION has set the property HttpOnly. Within other forum entries we see that this cookie must not have set the property HttpOnly as otherwise the iFrame will not be able to access the coockie and will not be able to obtain the session status. We assume that this is the reason for the login-status-iframe to send a refresh-token request any 3 seconds.
Is there any chance to possiblity to disable the HttpOnly Property for the cookie KEYCLOAK_SESSION?
Was there any change within keycloak concerning the flag or concerning the login-status-iframe?
Or do you have any other idea, what could be the reason for the iframe sending refresh-token requests any 3 seconds?