You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[Have looked through all searchable forums and tried responses from gemini, GPT, perplexity and such but to no avail.]
Environment:
Keycloak Version: 26.3.4
Keycloak Host: https://sso.mydomain.com
Client Architecture: Each frontend application is backed by its own BFF (Backend-for-Frontend). Each BFF is registered in Keycloak as a confidential client and is responsible for the OIDC code-to-token exchange and managing the user session.
Goal: To achieve seamless SSO. A user should log in once to any client and be automatically authenticated when visiting any other client, regardless of their top-level domain.
Observed Behavior:
We are seeing two distinct outcomes based on the initial login point.
What Works: Login via Keycloak Account Console
A user logs in directly at the Keycloak Account Console (https://sso.mydomain.com/realms/my-realm/account).
The user then navigates to app1.mydomain.com or app2.anotherdomain.net.
SSO works perfectly; the client’s BFF initiates the OIDC flow, Keycloak sees the existing SSO session, and the user is automatically logged in.
What Fails: Client-Initiated Login
A user is fully logged out.
The user navigates first to https://app2.anotherdomain.net.
The application redirects to Keycloak, the user authenticates, and is redirected back. Login is successful for app2.anotherdomain.net only.
The Problem: If the user now opens a new tab and navigates to app1.mydomain.com (or the Keycloak account console), they are prompted to log in again. The global SSO session is not recognized.
Question:
I understand this is the expected behavior due to browser cookie policies preventing access across different top-level domains.
Given our BFF architecture, what is the standard flow between the frontend, our confidential BFF client, and Keycloak to ensure a client-initiated login correctly establishes a global SSO session that is recognized by all other clients? How should the redirect and callback be handled by the BFF to ensure the central Keycloak session is respected on subsequent visits to other clients?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
[Have looked through all searchable forums and tried responses from gemini, GPT, perplexity and such but to no avail.]
Environment:
Keycloak Version: 26.3.4
Keycloak Host: https://sso.mydomain.com
Client Apps (in the same realm):
https://app1.mydomain.com
https://app2.anotherdomain.net
Client Architecture: Each frontend application is backed by its own BFF (Backend-for-Frontend). Each BFF is registered in Keycloak as a confidential client and is responsible for the OIDC code-to-token exchange and managing the user session.
Goal: To achieve seamless SSO. A user should log in once to any client and be automatically authenticated when visiting any other client, regardless of their top-level domain.
Observed Behavior:
We are seeing two distinct outcomes based on the initial login point.
What Works: Login via Keycloak Account Console
A user logs in directly at the Keycloak Account Console (https://sso.mydomain.com/realms/my-realm/account).
The user then navigates to app1.mydomain.com or app2.anotherdomain.net.
SSO works perfectly; the client’s BFF initiates the OIDC flow, Keycloak sees the existing SSO session, and the user is automatically logged in.
What Fails: Client-Initiated Login
A user is fully logged out.
The user navigates first to https://app2.anotherdomain.net.
The application redirects to Keycloak, the user authenticates, and is redirected back. Login is successful for app2.anotherdomain.net only.
The Problem: If the user now opens a new tab and navigates to app1.mydomain.com (or the Keycloak account console), they are prompted to log in again. The global SSO session is not recognized.
Question:
I understand this is the expected behavior due to browser cookie policies preventing access across different top-level domains.
Given our BFF architecture, what is the standard flow between the frontend, our confidential BFF client, and Keycloak to ensure a client-initiated login correctly establishes a global SSO session that is recognized by all other clients? How should the redirect and callback be handled by the BFF to ensure the central Keycloak session is respected on subsequent visits to other clients?
Beta Was this translation helpful? Give feedback.
All reactions