X-Frame-Options and silent refresh
-
I'm attempting to migrate an angular application across from Auth0 to FusionAuth. I am using angular-oauth2-oidc library to replace the Auth0 library. The issue I am having is using implicit flow and the silent refresh option. The Fusionauth server seems to deny X-Frame-Options, so silent refresh will not work. Auth0 had an option to allow X-Frame-Options in the library, but I can't find whereabouts to allow this in FusionAuth. I have added X-Frame-Options in the allowed headers of the CORS setting, but this does not seem to make a difference. Any ideas appreciated. I realise Implicit Flow is not considered best practice, however I'm trying not to rewrite the entire auth service in the angular application.
-
Hi,
So I'm not intimately familiar with this use case, but I have a couple of pointers.
Did you add
X-Frame-Optionsto the exposed headers in the System setting? (This is more of a guess than a recommendation
.)Silent refreshes have some other issues. This github issue may be of interest: https://github.com/FusionAuth/fusionauth-issues/issues/521 . It points to a workaround: https://stackoverflow.com/questions/55859793/is-prompt-none-for-silent-refresh-in-a-spa-possible-with-fusionauth-and-its-prov where there's actually a suggestion to tweak the
web.xmlfile.Finally, if you have a support contract with us, please open a ticket.
-
This post is deleted!
