Mozilla and Safari cookies not allowing cookies within an iframe

[ivan-vizibit]

Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

authentication

Describe the bug

I am developing an add-in within Microsoft Office 365, in Word/Excel and Outlook. The add-in is developed using React Typescript and runs as an iframe. I have other web applications that run on keycloak that share the same realm. On Chrome or Edge when I log in on any of my other applications and go back to the add-in I can successfully retrieve the token and have my user info within it. However this does not work on Mozilla or Safari, they have a much more strict policy and the same flow does not work there. I have seen this similar case reported here as an Issue #24335. However the issue was closed and as i can see it has not been resolved.

The main issue being i get an error on Mozilla saying:

Cookie “AUTH_SESSION_ID_LEGACY” will soon be rejected because it is foreign and does not have the “Partitioned“ attribute. Also the same message for: 
 “KC_RESTART” and
 “AUTH_SESSION_ID”.

and

Some cookies are misusing the recommended “SameSite“ attribute:
Cookie “AUTH_SESSION_ID_LEGACY” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute. And the same for "KC_RESTART"

This is a big issue because I want to be able to log in my add-in using Google or Microsoft, which cannot be loaded within an iframe, so I am trying to open the log-in in a new tab and go back to the add-in which is not possible.

Also I have seen to make sure my apps are all on the same eTLD+1 as Keycloak which is the case in my scenario.

Version

21.1.2

Regression

• The issue is a regression

Expected behavior

The log-in flow to be the same across all major browsers, Mozilla, Chrome, Edge, Safari when I log in to keycloak on any of my applications to be able to continue with my account in another application within an iframe.

Actual behavior

Currently I can log in on another application in keycloak and continue with my account in another page within an iframe on Chrome and Edge.

How to Reproduce?

Initialize keycloak within an iframe.
Log in to your account on any other application that is on the same realm.
Go back to your iframe and try to log in.
Your account will continue only on Chrome and Edge, not on Mozilla or Safari.

Anything else?

No response

[keycloak-github-bot]

Thanks for reporting this issue, but as this is reported against an older and unsupported release we are not able to evaluate the issue. Please verify with the nightly buildor the latest release.

If the issue can be reproduced in the nightly build or latest release add a comment with additional information, otherwise this issue will be automatically closed within 14 days.