Issues with external provider login via iframe

[martin-bmc]

We have a product that uses Duende IdentityServer for autnentication. We have added an integration to an external provider (Open ID Connect) to allow logins from external source using the dynamic provider feature. For these logins we use a login hint to enable SSO by adding the ?idp= query parameter to the URL. This works fine without issues.

We now have a requirement to allow these URLs inside an iframe. Testing this we see that it works for most browsers but in Chrome incognito and Safari we get issues. From Chrome incognito I can see that the issue is that the server is setting two cookies but that the browser is not allowing them with the warning: "This attempt to set a cookie via the Set-Cookie header was blocked due to user preferences"

In Edge incognito the cookies are set as expected.

Is there any configuration that can be made to fix this?

[khalidabuhakmeh]

Hello Martin,

From the screenshot you provided, the relationship between your application host and identity provider is unclear to me.

If the identity provider and the application are on different domains, cross-domain iframe integration is typically not recommended as browser vendors become increasingly stringent about what can access and set a cookie.

Your screenshot does highlight that X-Frame-Options is set to Deny. You can set this header on the IdentityServer host to allow certain origins to accept cookies, but this may or may not work.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Frame-Options

You can choose SAMEORIGIN or ALLOWORIGIN <origin> and see if that fixes the issue, but note that Incognito mode is designed to be a more strict environment, so this may not work.

[aaronclawrence]

Many providers essentially disable iframes, because they are a security weakness and strongly discouraged by OAuth standards. Being "required" to do it doesn't make it possible.

[martin-bmc]

Sorry for the late reply. We tried the headers suggested above without success. We solved the issue by adding custom domains on the login server to match the domain of the application that is doing the iframing. This works for both Chrome incognito (with deny third party cookies enabled) and Safari.