[keycloak-user] Keycloak, iframe, Safari and cookies

[Виталий Ищенко]

Hiding login address from end user is really bad idea. User must see
keycloack dns name and be able to verify ssl certificate

If you really want to create your own login experience, there is an option
of using direct grant flow. But this way is also not recommended on public
apps, as users will be asked to enter their credentials on 3rd party site
that may be not trusted or compromised
пн, 15 янв. 2018 г. в 16:25, Kristoffer Skaret <kristoffer.skaret at gmail.com
>:

> Our organization is implementing an OIDC platform based on Keycloak, and so
> far we are over all happy with the result. But we are left with one major
> issue regarding cookies and iframes.
>
>
> Background:
>
>    - Our OIDC platform will be exposed through public domain on the
>    Internet, and will be used as an authentication service in a long range
> of
>    different web sites
>    - As a result, the clients to our service will run on different domains
>    - Many of the client applications will prefer to present the OIDC user
>    interface in an iFrame
>
>
> The problem came up when we tried running with this setup using the Safari
> browser. As it seems, Safari treats cookies presented in an iframe as 3rd
> party cookies. So the browser will refuse to save these, unless a similar
> cookie has already been presented.
>
>    - Has anybody else experience with this issue?
>    - Any suggested solutions?
>
>
> As we have learned, Keycloak is very dependent upon cookies regarding many
> different aspects of the functionality. However, we are considering the
> option to try and make a fork of Keycloak without the need for cookies.
> Many aspects, such as cookie-based SSO are not relevant In our solution.
>
>
> Thanks,
>
> Kristoffer
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>