Using Auth0 login in iFrame

adeel · September 29, 2022, 2:37pm

SDK Version: 1.9.1
Platform Version: Next Js

Use Case: We need to open our Auth0 Next Js app in a third party app using an iframe. It throws error when using New Universal Login. Secondly, by using Classical login, login call returns error.
Note: Our app works fine when used without iframe

Can we use New Universal Login with an iframe ?
According to the docs,

We are using Classical Universal Login
Disabled Clickjacking for Classical Universal Login from Settings

We can successfully login on a standalone auth0 nextjs app. However, if we use the same app in an iframe we see two network calls:

Login call with url {DOMAIN}/usernamepassword/login ==> Error 403
Payload:

{
    "client_id": {{CLIENT_ID}},
    "redirect_uri": "http://localhost:3002/api/auth/callback",
    "tenant": "dwdev",
    "response_type": "code",
    "scope": "openid profile email",
    "state": "hKFo2SBBX3lBcmpaX043a0FEcGJKelR1X0RoR290OHZVcVhIOKFupWxvZ2luo3RpZNkgZjRhTEFZbUQ3anpoS25ON1l2cW9rbUhtQ3ZuaGFWRlCjY2lk2SBtRmFUYmFYd2ZqMFAwcnhOOGV0MXlMT1NWTktvenUyZg",
    "nonce": "QIJjsKdjm4rjnZHeqhmG3b6R3dFpMiYahAhi32zCByg",
    "connection": "dw-db",
    "username": "janedoe",
    "password": "password",
    "popup_options": {},
    "sso": true,
    "_intstate": "deprecated",
    "_csrf": "5C2roH8F-imlQoAVsX62ALJlmKK_2GUExtfU",
    "audience": {{AUDIENCE}},
    "code_challenge_method": "S256",
    "code_challenge": "6xjFmJtswZR9wCH7v6FHbGsZlEIOc-s8Wao2aURoqZ8",
    "protocol": "oauth2",
    "type": "code"
}

Response:

{
    "statusCode": 403,
    "description": "Invalid state",
    "name": "AnomalyDetected",
    "code": "access_denied"
}

Challenge call with url {DOMAIN}/usernamepassword/challenge ==> Error 404

hakeem · September 29, 2022, 5:05pm

Facing the same problem.

tyf · September 29, 2022, 8:45pm

Hey there @adeel welcome to the community!

New Universal Login does not support the use of iframes.

Assuming the the iframe and app itself are on different domains, you might want to look into cookies that are being blocked by the iframe. It’s good to know that your login flow is working outside of the context of an iframe - This definitely narrows it down a bit.

adeel · September 30, 2022, 8:07am

Thanks for your response.

I have switched to classic Universal Login from New Universal Login and also disable the clickjacking for classic Universal Login, but still unable to login with that .

How can I know that which cookies is blocking on iframe?