Before reporting an issue

[x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

authentication

Describe the bug

When using Keycloak with silentCheckSsoRedirectUri, I am facing the following error in Firefox with default privacy settings: Cookie “KC_AUTH_SESSION_HASH” has been rejected because it is in a cross-site context and its “SameSite” is “Lax” or “Strict”.

This results in a double reload of the page when refreshing because it causes Keycloak to return error=login_required in the authentication request.

Would it be possible to specify a SameSite policy that prevents the default of Lax being used?

Version

26.1.4

Regression

[ ] The issue is a regression

Expected behavior

The cookie KC_AUTH_SESSION_HASH should be accepted by the browser.

Actual behavior

Cookie “KC_AUTH_SESSION_HASH” has been rejected because it is in a cross-site context and its “SameSite” is “Lax” or “Strict”.

How to Reproduce?

Use Firefox with default settings. Try out a minimal example with silentCheckSsoRedirectUri such as https://github.com/mauriciovigolo/keycloak-angular?tab=readme-ov-file#usage. Try to refresh any webpage after the login has completed.

Anything else?

No response