Handling cookie not found error with oidc and keycloak

Question

We have a Keycloak 18.0.2 with realms integrated to external IdP (Okta / Ping / Azure). In one realm we started seeing lots of IDENTITY_PROVIDER_LOGIN_ERROR / cookie_not_found in login events. And had users reporting that they were only able to login if they cleared their browser’s cache and cookies. We found some ways to reproduce this behaviour in dev environment:

1. Multiple browser tabs:

• At the browser, tab 1, user opens application menu-navigator and is redirected to the External SSO login page (after Keycloak auth flow redirection). We see this login page being initialized with cookie KC_RESTART (auth endpoint).
• At the same browser, tab 2, user opens application dashboard-frontend and follows a similar flow as previous app.
• Both websites are written in Vue.JS and are using oidc-client-ts library. When initialized, OIDC lib loads the realm metadata, creates a user storage, and executes signin flow. After user is authenticated and has an active session KC_RESTART cookie is expired.
• As a result, when user back to tab 1 which is opened at step and try to login, user encounters an error since system cannot find authentication session and then try to use KC_RESTART cookie to reset authentication session however the cookie is even not there since it is expired at step c.
• Then user is redirected to Keycloak and sees the Cookie not found message.

2. Stale sessions:

• User opens the application (menu-nav or dashboard), sign in, do some operations, and close the tab.
• Users opens the application again in a moment between Session Idle and Session Max timeouts.
• User is redirected to Keycloak and sees the Cookie not found message.

We’ve seen the message in other situations, but we couldn’t consistently reproduce. While we were debugging this problem, we saw a Keycloak redirection to applications call-back endpoint with erro=login_required. So, we decided to handle this and other possible errors trying to make the client app do a silent signin or do a signin redirect if signin silent fails.

This seems to be effective to that error and now we see some IDENTITY_PROVIDER_LOGIN_ERROR / expired_code which we believe it’s OK and associated with the session max timeout and makes user go to the SSO login screen.

Any thoughts about this?

Answer 1

I have experienced Cookie not found issue, after user login into Keycloak and Keycloak tried to re-direct back to original site.

Root Cause:

A miss-configuration of realm's front-end URL. This value needs to match URL where your Keycloak listens (public facing URL).

1. Navigate to {yourRealm}.
2. Click on Realm Settings.
3. Under General Settings.
4. Check value in Frontend URL field.