OIDC SPA
GitHubHome
v5
  • Documentation
  • Release Notes & Upgrade Instructions
v5
  • Documentation
    • ๐Ÿ”ฉInstallation
    • ๐Ÿ‘จโ€๐Ÿ”งBasic Usage
    • ๐Ÿ”ŒWeb API
    • โฒ๏ธAuto Logout
    • โ—Error Management
    • ๐ŸŽญMock
    • ๐Ÿ”Tokens Renewal
    • ๐Ÿ›ก๏ธGlobally Enforce Authentication
    • ๐Ÿ”User Account Management
    • ๐Ÿ”„Doing Something Only When a New Session is Created
    • ๐Ÿ‘จโ€๐Ÿ”งUser impersonation
    • ๐Ÿ‘ฎDisabeling token persistance
  • Example setups
    • ๐Ÿ›ฃ๏ธTanStack Router
    • ๐Ÿ›ค๏ธReact Router
  • Resources
    • ๐Ÿ”‘Keycloak Configuration Guide
    • ๐ŸชEnd of third-party cookies
    • ๐Ÿ—๏ธJWT Of the Access Token
    • ๐Ÿ’ฌDiscord Server
    • โฌ†๏ธMigration Guides
      • โฌ†๏ธv4 -> v5
  • โญSponsors
Powered by GitBook
On this page

Was this helpful?

Export as PDF
  1. Resources

End of third-party cookies

PreviousKeycloak Configuration GuideNextJWT Of the Access Token

Was this helpful?

TL;DR; It's mostly inconsequential.

Google is ending third-party cookies for all Chrome users in 2024 and are already disabled by default in Safari.

Let's see how it might affect you.

First of all, if your identity server and your app shares the same root domain you are not affected.

Example, if you are in the case:

  • Your app is hosted at www.example.com or dashboard.example.com

  • Your identity server, for example Keycloak, is hosted at: auth.example.com

You are not affected โœ…. Indeed Both www.example.com, dashboard.example.com and auth.example.com shares the same root domain: example.com. On the other end, if you are in the folowing case:

  • You app is hosted at www.examples.com or dashboard.example.com

  • Your identity server is hosted at: auth.sowhere-else.com

Let's see how third party cookies phase out will affect you:

  • You will see a console warning "Third-party cookie will be blocked" in the console in production.

  • If a user that is authenticated close the tab of your app or close the browser and open your site again a while later. With third party cookies enabled and assuming he's session haven't expired yet he will be automaticall logged in. With third party cookies disabled your website will load in unautenticated mode. If he clicks on the login button this will trigger a full reload and he will be authenticated without having to enter he's credential again.

Conex resources:

Google reCaptcha

reCaptcha is not directly related to oidc-spa since the cookie it sets is on the thegister page (so outside of your app). Anyway, since it's a connex concern:

๐Ÿช
3rd party cookies phase out on chrome ยท Issue #26128 ยท keycloak/keycloakGitHub
Google reCaptcha and End of third-party Cookies | Keycloakify
Write a blog post about 3rd party cookie deprecation ยท Issue #25990 ยท keycloak/keycloakGitHub
Logo
Logo
Logo