Difference between Keycloak’s login-required vs check-sso
The Keyloak.js adapter takes an onLoad
configuration option that controls what Keycloak does on initial load. Supported values are login-required
or check-sso
.
onLoad: 'login-required'
The browser performs a full redirect to the Keycloak server and then back to your application to check the user’s authentication status.
The benefit is that this approach doesn’t rely on third-party cookies and is more reliable than the check-sso
option.
The downside is that it requires loading your app’s resource twice: once for the initial load, and then again after the redirect from Keycloak. Not a big deal in most cases.
onLoad: 'check-sso'
With check-sso
, the browser won’t perform a full redirect to the Keycloak server and then back to your app to check the user’s authentication status. Instead, the action will be performed in a hidden iframe.
The benefit is that your app’s resources are only loaded and parsed once by the browser instead of initially and then after the redirect.
The downside is that this hidden iframe authentication check relies on third-party cookies which can be unreliable or blocked depending on browser or browser settings.