SSO not working inside iframe

joshua

Just double-checking you have reviewed setting cookies as referenced in the documentation for FusionAuth.

https://fusionauth.io/docs/v1/tech/reference/configuration/#options

With env vars:

Or with config file (fusionauth.properties):

Also, perhaps obviously, I wonder if there are any rules in place for your App B and App A that you might not have accounted for? Some WordPress security setting and plugin perhaps? (I am not very familiar with WordPress).

Thanks,
Josh

joseantonio

Hi @joshua,

Thank you for the new info!

I thought those settings were not possible in the cloud version. Am I wrong?

Being able to apply that configuration in the cloud version might be the solution, hope it can be done!

For the apps part, I have tested in a simple local apache server aswell, just a static html page with the iframe and I got the same result.

Thank you so much!

joshua

This post is deleted!

joshua

@joseantonio,

Let me check to see what settings are adjustable within the cloud service regarding cookies.

I also want to ask if you are using incognito mode or if you are mixing schema (IE - going from HTTPS -> HTTP or vise-versa. Both of those scenarios could be a source of your current issues as well.

Thanks,
Josh

joseantonio

Thank you @joshua,

Alright then, I've tried using incognito mode aswell. Also checked everything is HTTPS -> HTTPS.

I'll wait for the cookie settings news.

joshua

@joseantonio

This is a bit longer of a post, but I wanted to give you some jumping-off points to explore different solutions.

Assumptions

I want to confirm a few base assumptions about your app workflow:

User goes to App A and logs in with FusionAuth (no I-FRAME)
User goes to App A and opens an IFRAME to App B and logs in with FusionAuth

It might be helpful to have the fully qualified domain names of your app to verify assumptions.
The question is, are you expecting step 2 to just work through SSO?

Enacting the above 'assumed' workflow

The above "should" (famous last developer words) work if your domains were structured as below:

FusionAuth login.mydomain.com
App A -> a.mydomain.com
App B -> b.mydomain.com

Alternatives

If the above structure is not possible, an alternative is running a proxy with CNAMES and writing a custom cookie. If you would like to pursue this track, my recommendation would be to review how cookies are generated and assigned to ensure you have a thorough understanding of the problem space (admittedly, this is still an area where I am constantly learning as well).

One recommendation - CDN

If proxies and custom cookies sounds enticing, you could front FusionAuth Cloud with a CDN like Cloudflare. Then you could use Cloudflare workers to alter headers or set cookies

Note, you would have to set up a CNAME (auth.example.com) with Cloudflare, but it would give you the greatest degree of flexibility.

Let me know I have captured your use case and APP flow.

joseantonio

Hi @joshua,

Many thanks for the information. Indeed that is exactly the use case.

Since our current Cloud plan is not High-Availability, the current structure is:

FusionAuth deployment.fusionauth.io
App A -> a.mydomain.com
App B -> b.mydomain.com

Do you think it's necessary to upgrade the current Cloud plan to fit the structure you mentioned?

The Cloudflare option might be good, but I'm not sure which kind of cookie would I need to set for making it work. Any guidance about this?

Thank you!

joshua

@joseantonio

Perfect! I would think that setting up HA might be a solution for you, but if your application does not require high availability, then it may be a misuse of financials (but don't let me talk you out of it - it is a powerful offering!). I am assuming that the custom URL/domain (ie - from deployment.fusionauth.io -> login.mydomain.com) is the functionality you seek from HA?

Regarding Cloudflare, I have used it for personal hosting projects but have not yet written my own cookies using it. My assumption would be that you would want to design your own cookie based on the cloudflare domain and use that to coordinate SSO in your applications across domains.

Let me know your thoughts and I can see if I have any other suggestions for you.

Thanks,
Josh

joseantonio

@joshua

Indeed, custom URL/domain is the only feature we really need from HA.

In this case, would it be possible to do a "partial upgrade", meaning paying more just for this feature? Otherwise I think we should give self hosting a try.

Just to be sure, the CloudFlare option would involve implementing that "coordination" on both apps aswell?

Thank you again for the great support!

Jose

joshua

@joseantonio,

I am checking on this for you; will let you know if I hear anything on a partial upgrade, but it is not one of our current offerings from our Sales/Marketing team.

I suspect that if you were to spin up a few (small) example applications and try writing your own cookies through a proxy, that may give a better understanding of the problem space and available approaches.

I will let you if I hear more

Thanks,
Josh

tim 1

This post is deleted!

joseantonio

Hi @joshua,

Just to let you know, in the end I installed FA in a new VPS, and pointed a new subdomain to it so everything is now on the same domain, and it's working fine inside the iframe!

Thank you so much for your support! Helped a lot!

Jose

joshua

@joseantonio Glad to hear it!