Description
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
authentication
Describe the bug
After upgrading Keycloak from 26.0.8 to 26.1.0, our React SPA using @react-keycloak/web and keycloak-js no longer retains the user session after a page refresh.
✅ Login works initially
❌ Refreshing the page triggers re-login
🔁 Session cookies are present but no longer valid
Version
26.1.0
Regression
- The issue is a regression
Expected behavior
After successful login, session should persist across pages. on refresh page session should be re established
Actual behavior
After refresh, the app re-initiates login flow, indicating Keycloak doesn't recognize the session anymore
How to Reproduce?
- Start Keycloak (v26.1.0 or later)
docker run -p 8080:8080 quay.io/keycloak/keycloak:26.1.0 start-dev
- Create a Realm, Client, and User
Realm: azure
Client ID: azure-factory
Valid Redirect URIs: http://localhost:3000/*
Web Origins: *
- Use the following React/Vite app, download it and run in local
StackBlitz reproduction: 👉 Open Project
- Login Flow
- Visit http://localhost:3000/
- Login succeeds and you're redirected back
- Session is established, cookies are present
- Now Refresh the Page (F5)
- You are sent back to the Keycloak login page
- Session does not persist even though cookies exist
Anything else?
Observations
Reproducible only in Keycloak v26.1.0+
Works correctly in 26.0.8-1
Cookies KEYCLOAK_SESSION, KEYCLOAK_IDENTITY, and AUTH_SESSION_ID are all set
Re-authentication occurs even if cookies are sent in the request
Possibly Related (from Keycloak 26.1.0 Release Notes)
Updated format of KEYCLOAK_SESSION and AUTH_SESSION_ID cookies
These are now hashed or signed to avoid exposing sensitive data.
Release note claims: “This change has no impact on user sessions”
However, behavior regression is clearly observable in SPAs on refresh.