Browsers in future versions will enforce that insecure Cookies with SameSite=none are rejected. Please make sure that all Cookies by Keycloak follows this guidelines.
New default value used for SameSite attribute will be Lax".
At this point we believe the only thing affect in Keycloak is keycloak.js or any third-party libraries/client that are using the OIDC session status iframe.
A work-around until we have a resolution is to disable the session-iframe, which will have the side-effect that SPA/HTML5 applications will not notice the user has logged-out from a different application until the application is re-loaded or the token is refreshed. For details on how to disable the session status iframe see https://www.keycloak.org/docs/latest/securing_apps/index.html#session-status-iframe