SSO Fails on Client-Initiated Login Across TLDs with BFF Confidential Clients

Getting advice
1

Environment:

  • Keycloak Version: 26.3.4

  • Keycloak Host: https://sso.mydomain.com

  • Client Apps (in the same realm):

    • https://app1.mydomain.com

    • https://app2.anotherdomain.net

  • Client Architecture: Each frontend application is backed by its own BFF (Backend-for-Frontend). Each BFF is registered in Keycloak as a confidential client and is responsible for the OIDC code-to-token exchange and managing the user session.

Goal: To achieve seamless SSO. A user should log in once to any client and be automatically authenticated when visiting any other client, regardless of their top-level domain.

Observed Behavior:

We are seeing two distinct outcomes based on the initial login point.

1. What Works: Login via Keycloak Account Console

  • A user logs in directly at the Keycloak Account Console (https://sso.mydomain.com/realms/my-realm/account).

  • The user then navigates to app1.mydomain.com or app2.anotherdomain.net.

  • SSO works perfectly; the client’s BFF initiates the OIDC flow, Keycloak sees the existing SSO session, and the user is automatically logged in.

2. What Fails: Client-Initiated Login

  • A user is fully logged out.

  • The user navigates first to https://app2.anotherdomain.net.

  • The application redirects to Keycloak, the user authenticates, and is redirected back. Login is successful for app2.anotherdomain.net only.

  • The Problem: If the user now opens a new tab and navigates to app1.mydomain.com (or the Keycloak account console), they are prompted to log in again. The global SSO session is not recognized.

Question:

I understand this is the expected behavior due to browser cookie policies preventing access across different top-level domains.

Given our BFF architecture, what is the standard flow between the frontend, our confidential BFF client, and Keycloak to ensure a client-initiated login correctly establishes a global SSO session that is recognized by all other clients? How should the redirect and callback be handled by the BFF to ensure the central Keycloak session is respected on subsequent visits to other clients?