Parent: Keycloak PKCE + token relay

Logs in top-level, then sends short-lived access tokens into the cross-origin iframe via postMessage.

Masked tokens

(none)

Child iframe

Expecting origin: