Do third-party logins work inside the iframe?

Question

Do third-party logins work inside the iframe?

I would like to create a simple web application and let partners embed it in their sites. I intend to let partners embed it with an iframe, just like youtube:

enter image description here

The application will require login through third-party authentication providers (e.g. Google, Facebook, OpenID).

Would such an authentication method be an issue within an iframe?

+6

facebook iframe google-openid

Adam matan Jan 23 '14 at 12:33

source share

3 answers

iframe is just a small browser window. Since your question is not related to the transfer of messages to and from the fragment, I would say that the difficulty is exactly the same as the implementation of these functionalities. In any case, you get the user to the auth provider, they register and somehow return to what they are doing, whether it is a full browser window or iframe. However, if the iframe is very small, they should probably open a new window.

+3

Funkodebat Jan 29 '14 at 18:28

source share

This may be a problem. Displaying authentication dialogs in an iframe usually considered a security risk, and many authentication providers explicitly send the X-Frame-Options: sameorigin with their authentication pages, preventing browser compatibility (read: almost all modern browsers) from rendering their pages authentication within the iframe . Looking back, it seems that at least Facebook, Twitter and Google prohibit authentication inside the iframe (this list, of course, is not exhaustive). This could probably be taken into account by introducing a new browser window for the actual authentication flow, but probably would not be possible inside the iframe itself.

Description of the clickjacking exploit leading to this situation: http://javascript.info/tutorial/clickjacking

Reference documentation for the X-Frame-Options header: http://www.rfc-editor.org/rfc/rfc7034.txt

+3

lanzz Jan 31 '14 at 16:45

source share

Metablocks corp · Accepted Answer · 2014-01-24T02:32:28+0000

This approach may be a bit problematic, but doable. Many of the authentication providers that use OAUTH, for example (Google, Facebook, OpenID), redirect users to the given URL after they log in and authenticate the application. You will need to find a way to return them to the page from which they came (with iframe). I think you can find out where your iframe is located (window.top, window.parent, i.e.) Save this information in SESSION or COOKIE, and then return the user to the page after authentication is complete.

Do third-party logins work inside the iframe?

More articles: