Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

token-exchange

Describe the bug

After upgrading from 26.0.1 to 26.1.0, we encounter an issue where the token-exchange process no longer maintains session persistence. Users must log in twice to access the common realm.

Environment:

• Keycloak Version: 26.1.0
• Setup: One realm per tenant + one common realm
• Token exchange: Tenant-Realm → Common Realm

Version

26.1

Regression

• The issue is a regression

Expected behavior

When exchanging tokens from a Tenant-Realm to the Common Realm, the session should persist, and users should not be required to log in again. This worked as expected in 26.0.1.

Actual behavior

After updating to 26.1.0, users must log in again when accessing the common realm, even though the token exchange was successful.

How to Reproduce?

1. Configure two Realms with a token-exchange from one to the other
2. Log in to the Tenant-Realm.
3. Try to access a resource in the Common Realm.
4. Observe that a new login is required.

Anything else?

• The issue is reproducible using the account-console, suggesting it’s not a client configuration problem.
• Might be related to account-console no longer provides nonce/state parameter #37447 or the recent session ID format changes.