Tracking Protection in Firefox > 89 vs Keycloak-JS SPA

Hi,

we are running a SPA with Keycloak JavaScript Adapter at version 11.0.03 with Authorization Code with PKCE Flow.
Authorization does not work anymore in Firefox privacy mode since its version 89. Seems like Firefox added a “Total Cookie Protection” (Firefox now blocks cross-site tracking by default in private browsing).
I also tried it with Keycloak version 13.0.1 and 15.0.2 but authorization is still impossible respectively the client does not know the Keycloak session.

Seems like the following is not working with Firefox privacy mode but in Chrome privacy mode:

Session Status iframe is not supported and is automatically disabled if such browser behavior is detected by the JS adapter.
(Securing Applications and Services Guide)

Are there any known fixes for this or is a fix planned in future releases?

Our ini-settings:
onLoad: ‘check-sso’,
silentCheckSsoRedirectUri: ‘our_template_path/silent-check-sso.html’,
useNonce: true,
pkceMethod: ‘S256’,
checkLoginIframe: false,

Best regards

The issue seems to me like the following:

keycloak-js tries to detect 3p cookie support with the 2 step request method.

Because these requests could have access to the cookies in Firefox separated cookie jars keycloak-js think that Firefox supports 3p cookies and therefore using silent check-sso instead of fallback to regular check-sso.

But silent check-sso cannot access 3p cookies from the separated cookie jars. So no authentication is possible in Firefox private mode.

Are there any further insights?

Is there any update on this? Our application does not work on Firefox because of this.

Hey,

glad to hear that we are not the only ones with that problem.

No, unfortunately there is no update on this issue.

But we disabled the silent check-sso completely just for firefox clients.
That can be done if you simply don’t set silentCheckSsoRedirectUri on init.
This will cause some additional redirects to keycloak and back, but at least works.