Keycloak

Keycloak

Keycloak is an open-source identity and access management platform maintained by Red Hat. Its scripts handle single sign-on authentication, session management, and OAuth token handling, setting cookies to maintain user login state and authorization across web applications.

Back to Vendor Library

Overview

Keycloak is an open-source identity and access management platform, primarily maintained by Red Hat and widely deployed by enterprises and developers as a self-hosted or cloud-managed SSO solution. When a web application integrates Keycloak for authentication, the Keycloak JavaScript adapter runs in the browser to manage login flows, session state, and token lifecycle. Its presence on a website indicates that Keycloak is the identity provider for that application.

What This Script Does

Keycloak's browser-side adapter (keycloak.js or keycloak.min.js), served from the Keycloak server domain, handles OpenID Connect and OAuth 2.0 flows in the browser. It manages redirect-based login sequences, receives authorization codes and tokens after authentication, and stores tokens in memory or sessionStorage / localStorage depending on configuration.

Keycloak sets several cookies at the authentication server domain:

  • KEYCLOAK_SESSION — a session identifier cookie, HttpOnly, scoped to the Keycloak server domain, with expiry matching the SSO session lifetime (typically hours to days)
  • KEYCLOAK_IDENTITY — an identity token cookie, similarly scoped and HttpOnly
  • AUTH_SESSION_ID — used during the login flow to maintain state across redirects; typically session-scoped

These cookies are set on the Keycloak server's domain (e.g., auth.example.com), not the application domain directly. The adapter makes requests to Keycloak's token and userinfo endpoints to validate sessions and refresh access tokens transparently.

No advertising data, behavioral analytics, or third-party sharing occurs. The adapter's sole purpose is authentication and session maintenance for the specific application.

Consent & Compliance

Keycloak falls squarely in the essential category. Authentication cookies are explicitly exempt from ePrivacy consent requirements under the "strictly necessary" exception — they are required to deliver the service the user has actively requested (logging in). Without these cookies and the associated script, the user cannot authenticate.

Under GDPR, the lawful basis for processing authentication data is contract (Article 6(1)(b)) — processing is necessary to perform the service the user has signed up for. No separate consent is needed for authentication session management.

Under CCPA/CPRA, authentication data is generally not subject to opt-out rights because it is not sold or shared and is necessary for service delivery. Operators deploying self-hosted Keycloak process data on their own infrastructure; those using cloud-hosted Keycloak (e.g., Red Hat SSO or third-party Keycloak hosting) should execute a DPA with the hosting provider.

Should You Block This Without Consent?

No. Keycloak scripts and cookies are strictly necessary authentication infrastructure. Blocking them would prevent users from logging into the application — a functional outcome that violates the basic service contract. They are exempt from ePrivacy consent requirements and should be categorized as essential, always-on scripts.

Visit website

Consent Categories

Essential
Functional

Also Known As

keycloakkeycloak ssoopen source identitykeycloak oauthkeycloak authentication consent

Industries

Computers Electronics and TechnologyProgramming and Developer SoftwareBusiness and Consumer ServicesScience and Education

Tracked Domains (1)

keycloak.orgEssential

Frequently Asked Questions

Does Keycloak require cookie consent?

No. Keycloak is an open-source identity and access management platform that sets session and authentication cookies strictly necessary for login and session continuity. These are essential for a service explicitly requested by the user and are exempt from consent requirements under GDPR and ePrivacy.

What cookies does Keycloak set?

Keycloak sets authentication session cookies including 'KEYCLOAK_SESSION' and 'KEYCLOAK_IDENTITY' to maintain logged-in state, plus 'KC_RESTART' for login flow resumption. OAuth tokens may also be stored as HttpOnly, Secure cookies. Expiry ranges from session-scoped to several hours depending on realm configuration.

How does ConsentStack handle Keycloak on a website?

ConsentStack detects Keycloak scripts and classifies them as essential and functional. Because Keycloak cookies are required for authentication, ConsentStack does not block them even when non-essential consent is withheld. They are surfaced in your consent audit as exempt, strictly necessary cookies.

Related Vendors

Firebase
Firebase
Firebase is Google's mobile and web application development platform offering authentication, real-time database, cloud functions, and analytics. Web SDK scripts initialize Firebase services and may track app events via Firebase Analytics, which is powered by Google Analytics 4. Widely used in single-page apps and PWAs for backend infrastructure and usage tracking.
Google
Google
Google is the dominant provider of web analytics, advertising, and infrastructure tools. Scripts like Google Analytics, Tag Manager, Ads, and reCAPTCHA collect behavioral data, manage tag firing, serve targeted ads, and detect bots. Sets persistent cookies to track users and correlate activity across sites.
Google Tag Manager
Google Tag Manager
Google Tag Manager is a tag management system that lets marketers deploy and update analytics and marketing scripts without code changes. The GTM container script loads synchronously in the page head and injects configured tags, triggers, and variables on behalf of other vendors. No data collection of its own — acts as a loader for other scripts.
Google Fonts
Google Fonts
Google Fonts is a free font hosting service that serves hundreds of typeface families via a global CDN. Stylesheets and font files load from fonts.googleapis.com and fonts.gstatic.com to deliver web fonts to visitors. No advertising or tracking functionality is included.
reCAPTCHA
reCAPTCHA
Google reCAPTCHA is a bot detection and spam prevention service protecting web forms, login pages, and checkout flows. Scripts analyze user behavior, mouse movements, and browser fingerprints to distinguish humans from bots. The invisible reCAPTCHA v3 scores interactions without requiring user challenges.
Sign in with Google
Sign in with Google
Sign in with Google is an OAuth-based authentication service that enables users to log into websites using their Google account credentials. Scripts load the Google Identity Services library, display sign-in buttons, and handle token exchange for secure authentication. Stores session tokens and authentication cookies to maintain login state across page visits.

Manage consent for Keycloak

ConsentStack automatically detects and manages Keycloak trackers so your site stays compliant with global privacy regulations.

Get started free