FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    SSO not working inside iframe

    Scheduled Pinned Locked Moved
    Q&A
    0
    16
    26.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • joshuaJ
      joshua
      last edited by

      This post is deleted!
      1 Reply Last reply Reply Quote 0
      • joshuaJ
        joshua
        last edited by

        @joseantonio,

        Let me check to see what settings are adjustable within the cloud service regarding cookies.

        I also want to ask if you are using incognito mode or if you are mixing schema (IE - going from HTTPS -> HTTP or vise-versa. Both of those scenarios could be a source of your current issues as well.

        Thanks,
        Josh

        1 Reply Last reply Reply Quote 0
        • J
          joseantonio
          last edited by

          Thank you @joshua,

          Alright then, I've tried using incognito mode aswell. Also checked everything is HTTPS -> HTTPS.

          I'll wait for the cookie settings news.

          1 Reply Last reply Reply Quote 0
          • joshuaJ
            joshua
            last edited by joshua

            @joseantonio

            This is a bit longer of a post, but I wanted to give you some jumping-off points to explore different solutions.

            Assumptions

            I want to confirm a few base assumptions about your app workflow:

            1. User goes to App A and logs in with FusionAuth (no I-FRAME)
            2. User goes to App A and opens an IFRAME to App B and logs in with FusionAuth
            • It might be helpful to have the fully qualified domain names of your app to verify assumptions.
            • The question is, are you expecting step 2 to just work through SSO?

            Enacting the above 'assumed' workflow

            The above "should" (famous last developer words) work if your domains were structured as below:

            1. FusionAuth login.mydomain.com
            2. App A -> a.mydomain.com
            3. App B -> b.mydomain.com

            Alternatives

            If the above structure is not possible, an alternative is running a proxy with CNAMES and writing a custom cookie. If you would like to pursue this track, my recommendation would be to review how cookies are generated and assigned to ensure you have a thorough understanding of the problem space (admittedly, this is still an area where I am constantly learning as well).

            One recommendation - CDN

            If proxies and custom cookies sounds enticing, you could front FusionAuth Cloud with a CDN like Cloudflare. Then you could use Cloudflare workers to alter headers or set cookies

            Note, you would have to set up a CNAME (auth.example.com) with Cloudflare, but it would give you the greatest degree of flexibility.

            Let me know I have captured your use case and APP flow.

            1 Reply Last reply Reply Quote 0
            • J
              joseantonio
              last edited by joseantonio

              Hi @joshua,

              Many thanks for the information. Indeed that is exactly the use case.

              Since our current Cloud plan is not High-Availability, the current structure is:

              FusionAuth deployment.fusionauth.io
              App A -> a.mydomain.com
              App B -> b.mydomain.com

              Do you think it's necessary to upgrade the current Cloud plan to fit the structure you mentioned?

              The Cloudflare option might be good, but I'm not sure which kind of cookie would I need to set for making it work. Any guidance about this?

              Thank you!

              1 Reply Last reply Reply Quote 0
              • joshuaJ
                joshua
                last edited by joshua

                @joseantonio

                Perfect! I would think that setting up HA might be a solution for you, but if your application does not require high availability, then it may be a misuse of financials (but don't let me talk you out of it 💸 - it is a powerful offering!). I am assuming that the custom URL/domain (ie - from deployment.fusionauth.io -> login.mydomain.com) is the functionality you seek from HA?

                Regarding Cloudflare, I have used it for personal hosting projects but have not yet written my own cookies using it. My assumption would be that you would want to design your own cookie based on the cloudflare domain and use that to coordinate SSO in your applications across domains.

                Let me know your thoughts and I can see if I have any other suggestions for you.

                Thanks,
                Josh

                1 Reply Last reply Reply Quote 0
                • J
                  joseantonio
                  last edited by

                  @joshua

                  Indeed, custom URL/domain is the only feature we really need from HA.

                  In this case, would it be possible to do a "partial upgrade", meaning paying more just for this feature? Otherwise I think we should give self hosting a try.

                  Just to be sure, the CloudFlare option would involve implementing that "coordination" on both apps aswell?

                  Thank you again for the great support!

                  Jose

                  1 Reply Last reply Reply Quote 0
                  • joshuaJ
                    joshua
                    last edited by

                    @joseantonio,

                    I am checking on this for you; will let you know if I hear anything on a partial upgrade, but it is not one of our current offerings from our Sales/Marketing team.

                    I suspect that if you were to spin up a few (small) example applications and try writing your own cookies through a proxy, that may give a better understanding of the problem space and available approaches.

                    I will let you if I hear more 👍

                    Thanks,
                    Josh

                    J 1 Reply Last reply Reply Quote 0
                    • T
                      tim 1
                      last edited by

                      This post is deleted!
                      1 Reply Last reply Reply Quote 0
                      • J
                        joseantonio @joshua
                        last edited by

                        Hi @joshua,

                        Just to let you know, in the end I installed FA in a new VPS, and pointed a new subdomain to it so everything is now on the same domain, and it's working fine inside the iframe!

                        Thank you so much for your support! Helped a lot!

                        Jose

                        1 Reply Last reply Reply Quote 0
                        • joshuaJ
                          joshua
                          last edited by

                          @joseantonio Glad to hear it!

                          1 Reply Last reply Reply Quote 0
                          • M maxime.guitet referenced this topic on
                          • First post
                            Last post