New Universal Login Support for IFrames (Office Addin Authentication)

glynn.fouche · August 9, 2021, 7:41pm

“New” Universal Login Support for IFrames (Office Addin Authentication)

Currently we have to use the “Classic” Universal Login for Authenticating our Office Addins with Auth0. This is because they run within I-Frame containers provided by Microsoft Office. We are able to use the “Classic” flow because we have the ability to “disable click jacking”

We would like to use the “New” universal Login flow for our Office Addins because we have multiple applications within the same tenant. We have to downgrade all of our other applications to “Classic” to support our addins.

Worst case, we would like to disable the click-jacking protection in the “New” UL (even if there is a huge warning

Otherwise - please provide some alternative work arounds. Thank you in advance.

dan.woda · August 9, 2021, 8:56pm

Hi @glynn.fouche,

Welcome to the Auth0 Community!

Thanks for providing your feedback. I updated the title to reflect your request.

glynn.fouche · August 26, 2021, 5:46pm

We need to make a decision:

Will the “New” Universal Login Support IFrames (Office Addin Authentication) - if so when.

Thank you in advance.

jacoby · October 14, 2021, 9:58am

Support for iframe embedding is why I’m looking at Auth0 actually, because Cognito doesn’t allow it which breaks my use case.

Please answer, Auth0

konrad.sopala · October 14, 2021, 10:06am

Thanks for providing your +1 to it Jacoby! I’m gonna relay it to appropriate team!

maxime1 · August 19, 2022, 9:52am

Up ! Is there a solution to login from an iframe with the “new universal login” method ?

g.feiken · December 12, 2022, 9:33am

We have discussed a related issue with your support: to specify which domains should allow iframes. Currently it’s either allow nothing or allow everything (by enabling the “Disable clickjacking protection for Classic Universal Login” flag). However, we’d rather specify the domain name(s) which should return in the frame-ancestors directive.

See also CSP: frame-ancestors - HTTP | MDN.

konrad.sopala · December 12, 2022, 10:24am

Thanks for sharing that with the rest of community!

system · December 26, 2022, 10:24am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

panot.chaimongkol · February 25, 2025, 12:51pm

Is there updates to this? It’d be great if we can specify the domain(s) which are returned in frame-ancestors directive, as suggested by g.feiken. This would be a great compromise between security and flexibility.

Topic		Replies	Views
Allowing app to be used in iFrames for custom domains Product Feedback login , security , iframe	7	4454	November 17, 2024
Make Content-Security-Policy frame-ancestors directive configurable for New Universal Login Product Feedback security , new-universal-login	15	4054	February 23, 2025
X-Frame-Options: SAMEORIGIN Get Help auth0 , login	5	5675	December 21, 2019
Universal cross-origin-authentication Get Help auth0	2	5157	December 27, 2019
Login cross-site with new universal login and iFrames Get Help login-experience , new-universal-login-experience	5	1791	January 28, 2025

New Universal Login Support for IFrames (Office Addin Authentication)

Related topics