Description
Describe the bug
Admin console impersonate feature does not properly work on cross-domain setup when hostname-admin does not match realm hostname.
Impersonate feature invokes admin endpoint on admin hostname which sets cookies in a response, but they are set for a wrong domain:
POST https://admin-host/admin/realms/example/users/99c1caa0-9f15-11ec-bfac-7446a03ae071/impersonation
set-cookie: KEYCLOAK_IDENTITY=snip; Version=1; Path=/realms/example/; SameSite=None; Secure; HttpOnly
set-cookie: KEYCLOAK_SESSION=example/99c1caa0-9f15-11ec-bfac-7446a03ae071/snip; Version=1; Expires=Wed, 09-Mar-2022 04:33:24 GMT; Max-Age=36000; Path=/realms/example/; SameSite=None; Secure
It then opens account endpoint on admin hostname which redirects to hostname for the realm, where session is not present since cookies are not set for that domain.
Version
17.0.0
Expected behavior
Impersonation flow is aware of different admin hostname and performs redirects to end up starting session on realm hostname
Actual behavior
Impersonation flow starts session on admin hostname which is then unusable.
How to Reproduce?
Setup keycloak with separate domains for hostname and hostname-admin. Attempt to use impersonation.
Anything else?
This is not a new issue https://keycloak.discourse.group/t/cross-domain-impersonate/10302