Initiate authorization from another subdomian

Hey guys,
My application uses universal login page and auth0js like so:

  1. a user enters
  2. if there’s no cookie, the user is redirected to universal login page
  3. login page redirects back to\#access_token=blablabla...
  4. I use auth0js to parse the hash and generate a cookie, then the user can start working
    This flow works just great.

Now I want to embed lock into my marketing site which is on a different domain (
I tried adding lock but when the user is redirected to I get "state does not match" error which makes sense because the state got saved on domain and then tried to get verified on domain.

To work around this issue I created a page on which displays the lock page (using lock.js) and serve it on using an iframe.

As a side note, this also didn’t work at first because lock.js saves the state and nonce on localStorage and auth0js looks for the state in the cookies (and fails) - this can be fixed using an undocumented config value __tryLocalStorageFirst (in auth0js)

Now I have two problems with the iframe:

  1. If I login with user+pass the login happens inside the iframe (but I need it to happen in the parent page - do you have support for that?)
  2. If I login with google-oauth I get the following error inside the iframe “ refused to connect”

What is the best practice to solve this flow?
There are other sites who do this - in the marketing page they show login buttons who take you directly to google-oauth and then to their app (instead of taking you to the app universal login where you then need to click another button to start the oauth process)