I am using the Classic universal login for a web app, and need to allow the app to be embedded in an iFrame for a certain client domain. This can normally be set with the CSP: frame-ancestors setting, but does not seem possible with Auth0. I am aware that this can be enabled for everyone by disabling click-jacking protection, but this would be a security risk for my app. I need it for just specified domains.
Thank you for creating this feedback card. Make sure to upvote it so it can attract other community members attention. Once we have some communication to reveal on that front we’ll let you know here
I have a similar use case; a client wants to embed our web app in SuperOffice via a web panel (i.e. an iframe). We want to allow this for their domain, but by default disallow it to avoid the clickjacking vulnerability. Is this possible? If not, are you planning on making this possible in the future? Are there any workarounds without disabling clickjacking protection?
My company just created a new tenant to split environments. But the chosen solution is the New Universal Login experience.
I have an app that I want to access from another app, and we served it in an iFrame allowing the embedded app to auto-login using the same tenant as the ancestor app.
I can’t anymore.
The solution where it would be possible to customise the CSP would be perfect, setting only our company domains as allowed ancestors.
Hi @oystein-beaufort How did you solve this issue. I am also having the same issue with SuperOffice. Please respond even if you haven’t solved the issue. I just wanted to know if this is technically possible,
I know this is a late reply, but may be this can help others.
We can make this work. If your application is inside an iframe, most of the identity provider’s login will not work. In order to make this work you need to start the Identity server login process through a new HTML popup window (not a modal popup). This way the Identity server starts the authentication outside of the iframe where there is no restrictions and once you are successfully authenticated you need to communicate back to the iframe using javascript and pass the token from external provider. Based on your application architecture you may need to take this token from external identity provider and do an authentication silently and refresh the application in iframe.
