Universal cross-origin-authentication

iliya · December 23, 2019, 7:45am

Hello there guys, before posting this topic I ensured that I read everything I could about the authentication api of auth0 but couldn’t find the data I was looking for.

So our company is using auth0 authentication services via Universal Login form with the Clickjacking option enabled (sending the additional https headers for iframes and so on). In our products this works fine, but currently we are building applications on third-party platforms where the authentication is also necessary for our products.

For example we are building an application on microsoft teams platform. So we have provided custom ‘teams’ authentication to access our app, but below that the app is using our product and this product requires 2nd authentication from the auth0 and since the teams is serving our application through an iframe (we get the Refused to display … in a frame because an ancestor violates the following Content Security Policy directive: “frame-ancestors ‘none’”. We have to disable the ‘clickjacking options for security headers’ and thats fine but we also would like to disable it for a specific domain.

So the question here is, if we disable the ‘clickjacking option’ and add our custom domain to allowed web origin’s list (Which as long as I read enables cross-origin-authenticaton for Embedded Login, but didn’t find info it does for Universal Login too) . Does this mean that the universal login form will only be served with disabled security headers only for the list of domains in ‘allowed web origin’s list’ or this will allow globally the login form to be served through iframe for all third party domains?

Best Regards,
Iliya.

nicolas_sabena · December 26, 2019, 3:02am

Just to clarify, when you say “Clickjacking option enabled”, do you mean that the Disable clickjacking protection for Classic Universal Login is turned ON or OFF?

In any case, this is a global option (it affect all domains) and should be OFF in pretty much ALL circumstances. I don’t know how the Microsoft Teams integration works. But if the Teams does not give you the information about the user that you need and you need to authenticate the user separately, it should offer some support for either full redirect or popup authentication, so that it doesn’t require the insecure IFRAME option.

iliya · December 27, 2019, 6:33am

The option is pretty much turned OFF, which omits the security headers for all domains. I have found another solution for this problem that works fine. In teams we get the user info easily, the problem is when you need to show up the iframe, and if it didn’t find the token it should open the auth0 login form (which doesn’t get rendered).

The problem is that you can’t know when a user has token or doesn’t have, so the iframe will pretty much try to load every time.