Hello there guys, before posting this topic I ensured that I read everything I could about the authentication api of auth0 but couldn’t find the data I was looking for.
So our company is using auth0 authentication services via Universal Login form with the Clickjacking option enabled (sending the additional https headers for iframes and so on). In our products this works fine, but currently we are building applications on third-party platforms where the authentication is also necessary for our products.
For example we are building an application on microsoft teams platform. So we have provided custom ‘teams’ authentication to access our app, but below that the app is using our product and this product requires 2nd authentication from the auth0 and since the teams is serving our application through an iframe (we get the Refused to display … in a frame because an ancestor violates the following Content Security Policy directive: “frame-ancestors ‘none’”. We have to disable the ‘clickjacking options for security headers’ and thats fine but we also would like to disable it for a specific domain.
So the question here is, if we disable the ‘clickjacking option’ and add our custom domain to allowed web origin’s list (Which as long as I read enables cross-origin-authenticaton for Embedded Login, but didn’t find info it does for Universal Login too) . Does this mean that the universal login form will only be served with disabled security headers only for the list of domains in ‘allowed web origin’s list’ or this will allow globally the login form to be served through iframe for all third party domains?