We are embedding our SaaS admin panel into the hardware interface of a partner via an iframe. Our application uses Auth0 for authentication. However, the admin panel is currently blocked from being loaded in an iframe due to standard security policies like X-Frame-Options and Content-Security-Policy (CSP) settings enforced by Auth0 and the application.
What We Need:
- Allow our admin panel (protected via Auth0) to be embedded into an iframe only on partner domains or hardware interfaces.
- Still maintain security against clickjacking and other web-based attacks.
- Ideally, avoid relaxing policies globally — limit to trusted origins only.
What We’ve Tried:
- Adding the domain of the partner in auth0, allowed callback urls, allowed logout urls, allowed web origins
Questions:
- How can we configure Auth0 to allow our login flow to work within an iframe on trusted domains?
Additional Info:
- We use SPA + API