OIDC SPA
GitHubHome
v4
  • Documentation
  • Release Notes & Upgrade Instructions
v4
  • Documentation
    • 🔩Installation
    • 👨‍🔧Basic Usage
    • 🔌Web API
    • ⏲️Auto Logout
    • ❗Error Management
    • 🎭Mock
    • 🔁Tokens Renewal
    • 🛡️Globally Enforce Authentication
    • 🔐User Account Management
    • 🔄Doing Something Only When a New Session is Created
  • Example setups
    • 🛣️TanStack Router
    • 🛤️React Router
  • Resources
    • 🔑Keycloak Configuration Guide
    • 👥Accessing Keycloak Groups
    • 🍪End of third-party cookies
    • 🗝️JWT Of the Access Token
    • 💬Discord Server
  • ⭐Sponsors
Powered by GitBook
On this page

Was this helpful?

Export as PDF
  1. Resources

End of third-party cookies

PreviousAccessing Keycloak GroupsNextJWT Of the Access Token

Last updated 10 months ago

Was this helpful?

TL;DR; It's mostly inconsequential.

Google is ending third-party cookies for all Chrome users in 2024 and are already disabled by default in Safari.

Let's see how it might affect you.

First of all, if your identity server and your app shares the same root domain you are not affected.

Example, if you are in the case:

  • Your app is hosted at www.example.com or dashboard.example.com

  • Your identity server, for example Keycloak, is hosted at: auth.example.com

You are not affected ✅. Indeed Both www.example.com, dashboard.example.com and auth.example.com shares the same root domain: example.com. On the other end, if you are in the folowing case:

  • You app is hosted at www.examples.com or dashboard.example.com

  • Your identity server is hosted at: auth.sowhere-else.com

Let's see how third party cookies phase out will affect you:

  • You will see a console warning "Third-party cookie will be blocked" in the console in production.

  • If a user that is authenticated close the tab of your app or close the browser and open your site again a while later. With third party cookies enabled and assuming he's session haven't expired yet he will be automaticall logged in. With third party cookies disabled your website will load in unautenticated mode. If he clicks on the login button this will trigger a full reload and he will be authenticated without having to enter he's credential again.

Conex resources:

Google reCaptcha

reCaptcha is not directly related to oidc-spa since the cookie it sets is on the thegister page (so outside of your app). Anyway, since it's a connex concern:

🍪
LogoWrite a blog post about 3rd party cookie deprecation · Issue #25990 · keycloak/keycloakGitHub
Logo3rd party cookies phase out on chrome · Issue #26128 · keycloak/keycloakGitHub
LogoGoogle reCaptcha and End of third-party Cookies | Keycloakify