I have an application that is using Auth0 to authenticate users. Now I would like that any third party sites can embed my application in an iframe so that they can use the services from my app.
I’m not sure about the security implications of this. I did a PoC and tried to access the id token from the third party site and I can see that it is forbidden by the browser:
Uncaught DOMException: Permission denied to access property "document" on cross-origin object
But the fact that the token lives in the local session storage makes me a little uneasy about this use case.
What would be the recommendation?