SSO not working inside iframe
-
Let me check to see what settings are adjustable within the cloud service regarding cookies.
I also want to ask if you are using incognito mode or if you are mixing schema (IE - going from
HTTPS
->HTTP
or vise-versa. Both of those scenarios could be a source of your current issues as well.Thanks,
Josh -
Thank you @joshua,
Alright then, I've tried using incognito mode aswell. Also checked everything is HTTPS -> HTTPS.
I'll wait for the cookie settings news.
-
This is a bit longer of a post, but I wanted to give you some jumping-off points to explore different solutions.
Assumptions
I want to confirm a few base assumptions about your app workflow:
- User goes to App A and logs in with FusionAuth (no I-FRAME)
- User goes to App A and opens an IFRAME to App B and logs in with FusionAuth
- It might be helpful to have the fully qualified domain names of your app to verify assumptions.
- The question is, are you expecting step 2 to just work through SSO?
Enacting the above 'assumed' workflow
The above "should" (famous last developer words) work if your domains were structured as below:
- FusionAuth login.mydomain.com
- App A -> a.mydomain.com
- App B -> b.mydomain.com
Alternatives
If the above structure is not possible, an alternative is running a proxy with CNAMES and writing a custom cookie. If you would like to pursue this track, my recommendation would be to review how cookies are generated and assigned to ensure you have a thorough understanding of the problem space (admittedly, this is still an area where I am constantly learning as well).
One recommendation - CDN
If proxies and custom cookies sounds enticing, you could front FusionAuth Cloud with a CDN like Cloudflare. Then you could use Cloudflare workers to alter headers or set cookies
Note, you would have to set up a CNAME (auth.example.com) with Cloudflare, but it would give you the greatest degree of flexibility.
Let me know I have captured your use case and APP flow.
-
Hi @joshua,
Many thanks for the information. Indeed that is exactly the use case.
Since our current Cloud plan is not High-Availability, the current structure is:
FusionAuth deployment.fusionauth.io
App A -> a.mydomain.com
App B -> b.mydomain.comDo you think it's necessary to upgrade the current Cloud plan to fit the structure you mentioned?
The Cloudflare option might be good, but I'm not sure which kind of cookie would I need to set for making it work. Any guidance about this?
Thank you!
-
Perfect! I would think that setting up HA might be a solution for you, but if your application does not require high availability, then it may be a misuse of financials (but don't let me talk you out of it - it is a powerful offering!). I am assuming that the custom URL/domain (ie - from deployment.fusionauth.io -> login.mydomain.com) is the functionality you seek from HA?
Regarding Cloudflare, I have used it for personal hosting projects but have not yet written my own cookies using it. My assumption would be that you would want to design your own cookie based on the cloudflare domain and use that to coordinate SSO in your applications across domains.
Let me know your thoughts and I can see if I have any other suggestions for you.
Thanks,
Josh -
Indeed, custom URL/domain is the only feature we really need from HA.
In this case, would it be possible to do a "partial upgrade", meaning paying more just for this feature? Otherwise I think we should give self hosting a try.
Just to be sure, the CloudFlare option would involve implementing that "coordination" on both apps aswell?
Thank you again for the great support!
Jose
-
I am checking on this for you; will let you know if I hear anything on a partial upgrade, but it is not one of our current offerings from our Sales/Marketing team.
I suspect that if you were to spin up a few (small) example applications and try writing your own cookies through a proxy, that may give a better understanding of the problem space and available approaches.
I will let you if I hear more
Thanks,
Josh -
This post is deleted! -
Hi @joshua,
Just to let you know, in the end I installed FA in a new VPS, and pointed a new subdomain to it so everything is now on the same domain, and it's working fine inside the iframe!
Thank you so much for your support! Helped a lot!
Jose
-
@joseantonio Glad to hear it!
-