I had the same problem with keycloak v1.5.0.Final/Internet Explorer 11 and finally figured out what was going on.
1. Behind the scene
When using the login-required or check-sso modes in the init Keycloak method, the Keyclayak Javascript Adapter sets up an iframe that checks at regular intervals when the user authenticates.
This iframe is retrieved from the keycloak server (say http(s)://yourkeycloakhost:port ):
http(s)://yourkeycloakhost:port/auth/realms/yourrealm/protocol/openid-connect/login-status-iframe.html?client_id=yourclientid&origin=http(s)://yourorigin
and its contents is a javascript script that must have access to the cookie KEYCLOAK_SESSION, previously set by keycloak for authentication (in the same domain, i.e. http(s)://yourkeycloakhost:port ).
2. Problem with IE
Yes! Here is a problem with Internet Explorer, which has a strict policy with iframes and cookies. In fact, keyclloak iframe does NOT have access to yourkeycloakhost domain yourkeycloakhost due to its P3P policy (Microsoft Internet Explorer is the only major browser that supports P3P).
fooobar.com/questions/17457 / ...
3. Resolution
The solution is to force Internet Explorer to trust our keycloak domain ( yourkeycloakhost ) to use cookies so that the iframe can read the KEYCLOAK_SESSION cookie and register it in its data.
To do this, the keyclayak server must add an HTTP response header with P3P information . You can do this using the apache or nginx proxy, which will always set the appropriate headers. I did this with apache and the mod_headers module:
Header always set P3P "CP=ALL DSP COR CUR ADM PSA CONi OUR SAM OTR UNR LEG"
You can learn more about P3P using the W3C and / or confirm your P3P policy using the P3P validator .
4. Consequence
You can see the iframe code with keycloak:
var cookie = getCookie('KEYCLOAK_SESSION'); if (cookie) { data.loggedIn = true; data.session = cookie; }
Now the cookie in yourkeycloakhost domain yourkeycloakhost correctly retrieved by Internet Explorer, and the problem is fixed!