I have a running Keycloak instance on auth.example.com and my app is running on example.io.
Brave Shield is blocking CORS cookies, so the cookie is not sent to the /protocol/openid-connect/token/ and therefore I get a 400 result.
What is the best solution do deal with this problem? a) I catch the 400 call and inform the user to allow CORS cookies? b) I host the keycloak instance on the same domain c) I use another approach than cookies for this
C sounds insecure when you store the cookie only in localstore without the option http only B will not work in the future when I have other applications that want to interact with the IAM
so the only option I think is A (which works, but is not userfriendly), isn't it?