Details

    • Type: Task
    • Status: Resolved (View Workflow)
    • Priority: Critical
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Sprint:
      Keycloak Sprint 38, Keycloak Sprint 39
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      Safari has already started blocking third-party cookies [1], and other browser will follow suite in the future [2].

      Third-party cookies are leveraged within keycloak.js especially for session logout notification, as well as often used in SPA type applications for silent refresh. We have for a long type provided support for refresh tokens in keycloak.js, which reduces the implication of this, but we do need to deprecate/remove features that require third-party cookies.

      We should also start considering how we can recommend SPA type applications with a backend service that handles the flows, which is slightly more secure as refresh tokens are not exposed to the browser.

      [1] https://www.theverge.com/2020/3/24/21192830/apple-safari-intelligent-tracking-privacy-full-third-party-cookie-blocking
      [2] https://www.theverge.com/2020/1/14/21064698/google-third-party-cookies-chrome-two-years-privacy-safari-firefox

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  vmuzikar Václav Muzikář
                  Reporter:
                  stianst Stian Thorgersen
                • Votes:
                  1 Vote for this issue
                  Watchers:
                  5 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: