SSO not working inside iframe
-
We currently have two apps in different domains, A and B.
A is a Wordpress website, and in one of its pages, there is an iframe with src to app B.
When a user is authenticated in A, and goes to the iframe page, it is required to authenticate again for B inside the iframe.
However, if I open another browser tab and go to app B, SSO works and it automatically authenticates. The strange thing is, if I now come back to the iframe page in A and reload, it is automatically authenticated inside the iframe aswell.
Any ideas what this could be?
Cookie problem maybe?
Thank you!
-
Hi @joseantonio,
Can I ask what browser you are using? Is this same issue happening for you regardless of the browser used?
You might be having difficulty with same-site cookies issued across browsers especially as it relates to iFrames. Modern browsers also apply strict conditions to the cookies in an iframe.
Finally, below is also some information regarding CORS and I-Frame/Headers that might be useful/good background.
Thanks!
Josh -
Hello @joshua, thank you for the information!
It actually happens in every browser i've tested in (Chrome, Edge and Firefox, and IE).
I checked the samesite attribute and every other configuration for cookies, as well as for iframes.
What I have tried so far:
- Setting samesite attribute to None and secure to true (applied to all FusionAuth cookies created from my site).
- Adding sandox attribute to iframe object like sandbox="allow-same-origin allow-scripts"
Also, I have noticed that the FA login page sets its own cookie "fusionauth.sso" with samesite Lax. Our login is hosted in FA.
SSO still works in a new tab.
Hope this information helps.
Thank you!
Jose.
-
Hi @joseantonio,
Just double-checking you have reviewed setting cookies as referenced in the documentation for FusionAuth.
https://fusionauth.io/docs/v1/tech/reference/configuration/#options
With env vars:
Or with config file (fusionauth.properties):
Also, perhaps obviously, I wonder if there are any rules in place for your App B and App A that you might not have accounted for? Some WordPress security setting and plugin perhaps? (I am not very familiar with WordPress).
Thanks,
Josh -
Hi @joshua,
Thank you for the new info!
I thought those settings were not possible in the cloud version. Am I wrong?
Being able to apply that configuration in the cloud version might be the solution, hope it can be done!
For the apps part, I have tested in a simple local apache server aswell, just a static html page with the iframe and I got the same result.
Thank you so much!
-
This post is deleted! -
Let me check to see what settings are adjustable within the cloud service regarding cookies.
I also want to ask if you are using incognito mode or if you are mixing schema (IE - going from
HTTPS
->HTTP
or vise-versa. Both of those scenarios could be a source of your current issues as well.Thanks,
Josh -
Thank you @joshua,
Alright then, I've tried using incognito mode aswell. Also checked everything is HTTPS -> HTTPS.
I'll wait for the cookie settings news.
-
This is a bit longer of a post, but I wanted to give you some jumping-off points to explore different solutions.
Assumptions
I want to confirm a few base assumptions about your app workflow:
- User goes to App A and logs in with FusionAuth (no I-FRAME)
- User goes to App A and opens an IFRAME to App B and logs in with FusionAuth
- It might be helpful to have the fully qualified domain names of your app to verify assumptions.
- The question is, are you expecting step 2 to just work through SSO?
Enacting the above 'assumed' workflow
The above "should" (famous last developer words) work if your domains were structured as below:
- FusionAuth login.mydomain.com
- App A -> a.mydomain.com
- App B -> b.mydomain.com
Alternatives
If the above structure is not possible, an alternative is running a proxy with CNAMES and writing a custom cookie. If you would like to pursue this track, my recommendation would be to review how cookies are generated and assigned to ensure you have a thorough understanding of the problem space (admittedly, this is still an area where I am constantly learning as well).
One recommendation - CDN
If proxies and custom cookies sounds enticing, you could front FusionAuth Cloud with a CDN like Cloudflare. Then you could use Cloudflare workers to alter headers or set cookies
Note, you would have to set up a CNAME (auth.example.com) with Cloudflare, but it would give you the greatest degree of flexibility.
Let me know I have captured your use case and APP flow.
-
Hi @joshua,
Many thanks for the information. Indeed that is exactly the use case.
Since our current Cloud plan is not High-Availability, the current structure is:
FusionAuth deployment.fusionauth.io
App A -> a.mydomain.com
App B -> b.mydomain.comDo you think it's necessary to upgrade the current Cloud plan to fit the structure you mentioned?
The Cloudflare option might be good, but I'm not sure which kind of cookie would I need to set for making it work. Any guidance about this?
Thank you!
-
Perfect! I would think that setting up HA might be a solution for you, but if your application does not require high availability, then it may be a misuse of financials (but don't let me talk you out of it - it is a powerful offering!). I am assuming that the custom URL/domain (ie - from deployment.fusionauth.io -> login.mydomain.com) is the functionality you seek from HA?
Regarding Cloudflare, I have used it for personal hosting projects but have not yet written my own cookies using it. My assumption would be that you would want to design your own cookie based on the cloudflare domain and use that to coordinate SSO in your applications across domains.
Let me know your thoughts and I can see if I have any other suggestions for you.
Thanks,
Josh -
Indeed, custom URL/domain is the only feature we really need from HA.
In this case, would it be possible to do a "partial upgrade", meaning paying more just for this feature? Otherwise I think we should give self hosting a try.
Just to be sure, the CloudFlare option would involve implementing that "coordination" on both apps aswell?
Thank you again for the great support!
Jose
-
I am checking on this for you; will let you know if I hear anything on a partial upgrade, but it is not one of our current offerings from our Sales/Marketing team.
I suspect that if you were to spin up a few (small) example applications and try writing your own cookies through a proxy, that may give a better understanding of the problem space and available approaches.
I will let you if I hear more
Thanks,
Josh -
This post is deleted! -
Hi @joshua,
Just to let you know, in the end I installed FA in a new VPS, and pointed a new subdomain to it so everything is now on the same domain, and it's working fine inside the iframe!
Thank you so much for your support! Helped a lot!
Jose
-
@joseantonio Glad to hear it!
-