FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    SSO not working inside iframe

    Scheduled Pinned Locked Moved
    Q&A
    0
    16
    26.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      joseantonio
      last edited by

      We currently have two apps in different domains, A and B.

      A is a Wordpress website, and in one of its pages, there is an iframe with src to app B.

      When a user is authenticated in A, and goes to the iframe page, it is required to authenticate again for B inside the iframe.

      However, if I open another browser tab and go to app B, SSO works and it automatically authenticates. The strange thing is, if I now come back to the iframe page in A and reload, it is automatically authenticated inside the iframe aswell.

      Any ideas what this could be?

      Cookie problem maybe?

      Thank you!

      1 Reply Last reply Reply Quote 0
      • joshuaJ
        joshua
        last edited by

        Hi @joseantonio,

        Can I ask what browser you are using? Is this same issue happening for you regardless of the browser used?

        You might be having difficulty with same-site cookies issued across browsers especially as it relates to iFrames. Modern browsers also apply strict conditions to the cookies in an iframe.

        Finally, below is also some information regarding CORS and I-Frame/Headers that might be useful/good background.

        • Cors
        • Xframe

        Thanks!
        Josh

        1 Reply Last reply Reply Quote 0
        • J
          joseantonio
          last edited by

          Hello @joshua, thank you for the information!

          It actually happens in every browser i've tested in (Chrome, Edge and Firefox, and IE).

          I checked the samesite attribute and every other configuration for cookies, as well as for iframes.

          What I have tried so far:

          • Setting samesite attribute to None and secure to true (applied to all FusionAuth cookies created from my site).
          • Adding sandox attribute to iframe object like sandbox="allow-same-origin allow-scripts"

          Also, I have noticed that the FA login page sets its own cookie "fusionauth.sso" with samesite Lax. Our login is hosted in FA.

          SSO still works in a new tab.

          Hope this information helps.

          Thank you!

          Jose.

          1 Reply Last reply Reply Quote 0
          • joshuaJ
            joshua
            last edited by joshua

            Hi @joseantonio,

            Just double-checking you have reviewed setting cookies as referenced in the documentation for FusionAuth.

            https://fusionauth.io/docs/v1/tech/reference/configuration/#options

            With env vars:
            same-site-cookies.png

            Or with config file (fusionauth.properties):
            same-site2.png

            Also, perhaps obviously, I wonder if there are any rules in place for your App B and App A that you might not have accounted for? Some WordPress security setting and plugin perhaps? (I am not very familiar with WordPress).

            Thanks,
            Josh

            1 Reply Last reply Reply Quote 0
            • J
              joseantonio
              last edited by

              Hi @joshua,

              Thank you for the new info!

              I thought those settings were not possible in the cloud version. Am I wrong?

              Being able to apply that configuration in the cloud version might be the solution, hope it can be done!

              For the apps part, I have tested in a simple local apache server aswell, just a static html page with the iframe and I got the same result.

              Thank you so much!

              1 Reply Last reply Reply Quote 0
              • joshuaJ
                joshua
                last edited by

                This post is deleted!
                1 Reply Last reply Reply Quote 0
                • joshuaJ
                  joshua
                  last edited by

                  @joseantonio,

                  Let me check to see what settings are adjustable within the cloud service regarding cookies.

                  I also want to ask if you are using incognito mode or if you are mixing schema (IE - going from HTTPS -> HTTP or vise-versa. Both of those scenarios could be a source of your current issues as well.

                  Thanks,
                  Josh

                  1 Reply Last reply Reply Quote 0
                  • J
                    joseantonio
                    last edited by

                    Thank you @joshua,

                    Alright then, I've tried using incognito mode aswell. Also checked everything is HTTPS -> HTTPS.

                    I'll wait for the cookie settings news.

                    1 Reply Last reply Reply Quote 0
                    • joshuaJ
                      joshua
                      last edited by joshua

                      @joseantonio

                      This is a bit longer of a post, but I wanted to give you some jumping-off points to explore different solutions.

                      Assumptions

                      I want to confirm a few base assumptions about your app workflow:

                      1. User goes to App A and logs in with FusionAuth (no I-FRAME)
                      2. User goes to App A and opens an IFRAME to App B and logs in with FusionAuth
                      • It might be helpful to have the fully qualified domain names of your app to verify assumptions.
                      • The question is, are you expecting step 2 to just work through SSO?

                      Enacting the above 'assumed' workflow

                      The above "should" (famous last developer words) work if your domains were structured as below:

                      1. FusionAuth login.mydomain.com
                      2. App A -> a.mydomain.com
                      3. App B -> b.mydomain.com

                      Alternatives

                      If the above structure is not possible, an alternative is running a proxy with CNAMES and writing a custom cookie. If you would like to pursue this track, my recommendation would be to review how cookies are generated and assigned to ensure you have a thorough understanding of the problem space (admittedly, this is still an area where I am constantly learning as well).

                      One recommendation - CDN

                      If proxies and custom cookies sounds enticing, you could front FusionAuth Cloud with a CDN like Cloudflare. Then you could use Cloudflare workers to alter headers or set cookies

                      Note, you would have to set up a CNAME (auth.example.com) with Cloudflare, but it would give you the greatest degree of flexibility.

                      Let me know I have captured your use case and APP flow.

                      1 Reply Last reply Reply Quote 0
                      • J
                        joseantonio
                        last edited by joseantonio

                        Hi @joshua,

                        Many thanks for the information. Indeed that is exactly the use case.

                        Since our current Cloud plan is not High-Availability, the current structure is:

                        FusionAuth deployment.fusionauth.io
                        App A -> a.mydomain.com
                        App B -> b.mydomain.com

                        Do you think it's necessary to upgrade the current Cloud plan to fit the structure you mentioned?

                        The Cloudflare option might be good, but I'm not sure which kind of cookie would I need to set for making it work. Any guidance about this?

                        Thank you!

                        1 Reply Last reply Reply Quote 0
                        • joshuaJ
                          joshua
                          last edited by joshua

                          @joseantonio

                          Perfect! I would think that setting up HA might be a solution for you, but if your application does not require high availability, then it may be a misuse of financials (but don't let me talk you out of it 💸 - it is a powerful offering!). I am assuming that the custom URL/domain (ie - from deployment.fusionauth.io -> login.mydomain.com) is the functionality you seek from HA?

                          Regarding Cloudflare, I have used it for personal hosting projects but have not yet written my own cookies using it. My assumption would be that you would want to design your own cookie based on the cloudflare domain and use that to coordinate SSO in your applications across domains.

                          Let me know your thoughts and I can see if I have any other suggestions for you.

                          Thanks,
                          Josh

                          1 Reply Last reply Reply Quote 0
                          • J
                            joseantonio
                            last edited by

                            @joshua

                            Indeed, custom URL/domain is the only feature we really need from HA.

                            In this case, would it be possible to do a "partial upgrade", meaning paying more just for this feature? Otherwise I think we should give self hosting a try.

                            Just to be sure, the CloudFlare option would involve implementing that "coordination" on both apps aswell?

                            Thank you again for the great support!

                            Jose

                            1 Reply Last reply Reply Quote 0
                            • joshuaJ
                              joshua
                              last edited by

                              @joseantonio,

                              I am checking on this for you; will let you know if I hear anything on a partial upgrade, but it is not one of our current offerings from our Sales/Marketing team.

                              I suspect that if you were to spin up a few (small) example applications and try writing your own cookies through a proxy, that may give a better understanding of the problem space and available approaches.

                              I will let you if I hear more 👍

                              Thanks,
                              Josh

                              J 1 Reply Last reply Reply Quote 0
                              • T
                                tim 1
                                last edited by

                                This post is deleted!
                                1 Reply Last reply Reply Quote 0
                                • J
                                  joseantonio @joshua
                                  last edited by

                                  Hi @joshua,

                                  Just to let you know, in the end I installed FA in a new VPS, and pointed a new subdomain to it so everything is now on the same domain, and it's working fine inside the iframe!

                                  Thank you so much for your support! Helped a lot!

                                  Jose

                                  1 Reply Last reply Reply Quote 0
                                  • joshuaJ
                                    joshua
                                    last edited by

                                    @joseantonio Glad to hear it!

                                    1 Reply Last reply Reply Quote 0
                                    • M maxime.guitet referenced this topic on
                                    • First post
                                      Last post