SSO problems and doubts

MarcelloT · May 14, 2026, 4:04pm

I created a realm with two clients inside. The two clients are my webapp and Grafana. When I log in to my webapp and then open Grafana, I’m automatically logged into Grafana thanks to SSO. And so far, so good. The problem is that when I log out of my webapp and then return to Grafana, refreshing the Grafana web page, I remain logged in, even though the KC session has been properly closed. Is this mechanism correct?

Another problem: when I try to embed a web page from my webapp in a Grafana dashboard panel using an iframe, it redirects me to my webapp’s login page (unless I’ve logged in to my webapp first). However, I expected the page to open directly in the iframe, since I’m already logged into Grafana.

same domain:
.xyz Domain Names | Join Generation XYZ and .xyz Domain Names | Join Generation XYZ

MarcelloT · May 15, 2026, 1:31pm

another thing I noticed, that in chrome I don’t see cookies like: KEYCLOAK_IDENTITY and KEYCLOAK_SESSION, while if I use firefox I see them.

embesozzi · May 15, 2026, 3:59pm

Keep things simple.
Forget about iframes and implement standard federation with OIDC using the Authorization Code flow with PKCE.
Then, for logout, there are several options depending on the user experience and the type of application you have.

OIDC RP-Initiated Logout [1]
OIDC Back-Channel Logout [2]

[1] Final: OpenID Connect RP-Initiated Logout 1.0
[2] Final: OpenID Connect Back-Channel Logout 1.0

MarcelloT · May 15, 2026, 7:04pm

I don’t like iframes either, but I have to use them. Is there a way to make sure the page opened in the iframe doesn’t ask for login?

sharpedavid · May 20, 2026, 6:39pm

The problem is that when I log out of my webapp and then return to Grafana, refreshing the Grafana web page, I remain logged in, even though the KC session has been properly closed. Is this mechanism correct?

Yes, this can be correct.

One thing to keep in mind: Keycloak controls the Keycloak session. The application controls its own session.

Grafana can keep its own login session using its own cookies or session state. So it is possible to log out of Keycloak, then refresh Grafana, and still appear logged in there.

To change that behavior, Grafana must explicitly handle logout. So the key question is not only “was the Keycloak session closed?” It is also “did Grafana clear its own session when that happened?”

I don’t like iframes either, but I have to use them. Is there a way to make sure the page opened in the iframe doesn’t ask for login?

I think you may struggle to get useful answers if you continue down the iframe path.

At that point, many of the problems are no longer really about Keycloak or even OIDC. They become browser and iframe behavior problems: third-party cookies, session isolation, silent auth restrictions, SameSite policies, CSP headers, browser privacy features, and cross-origin behavior.

That is also why people are recommending standard OIDC Authorization Code flow patterns instead. Those flows are well understood, broadly supported, and much easier to reason about.

If you must use iframes, you’ll likely need a fairly deep understanding of browser session behavior in addition to Keycloak and OIDC.

Topic		Replies	Views
Problems with logout in KC Configuring the server	1	45	May 19, 2026
SSO back channel logout issue Getting advice authentication , oidc	0	670	April 20, 2022
Silent login within embedded iframe Getting advice authentication	1	6250	September 22, 2021
Keycloak iframe re-authenticate/You are already logged in Configuring the server authentication	7	481	October 27, 2024
Session status iframe reports user is logged out	0	180	April 22, 2024

SSO problems and doubts

Related topics