Hi all,
I'm currently setting up FusionAuth for use in our application (React frond-end + NestJS backend). We host FusionAuth ourselves (version 1.49.2), let's say https://fusion.domain.com and my application is running on https://application.domain.com. We've set up a tenant with OIDC.
The top domain is the same, so everything works fine when I go to https://application.domain.com directly.
However, for some use cases, our application will be loaded by external apps in an iframe. These external apps will be hosted on different domains, say https://app.other.com. So far I've not been able to get it to run. I've had a look at this other post without success.
The first issue I have is with the X-Frame-Options header. As per the documentation I've added the domain https://app.other.com in the Authorized request origin URLs
so that the X-Frame-Options: DENY
is removed. I've also added the https://app.other.com to the allowed CORS origins. This works partially. Sometimes the X-Frame-Options: DENY
is indeed removed, sometimes it's there.
However, even when it is removed, the following problem is that the cookies set by the Hosted app are sent back with SameSite=Lax attribute. This means they are not sent on subsequent requests and the authentication fails.
To overcome this issue, I've set up the oauth endpoints myself as described in the express tutorial. Now I can set SameSite=None and cookies are correctly set. But even with that the authentication fails. From what I see, it's the redirection from the OIDC provider to FusionAuth which fails because a code is missing.
I've also tried the following:
- Switch from Cookies to Bearer auth. Using a popup opened by the iframe and try to send back the token to the opener with postMessage. This doesn't work because the opener object is cleared upon redirection to a different domain.
- Try to use a SharedWorker as a channel to send the token. Does not work either because of CSP. The app loaded in the iframe creates a different worker
I'm currently trying to set up a proxy for FusionAuth to be able to control the cookies and their attributes but that seems a bit overkill.
So my question is: what is the standard approach when dealing with such cases? How can I use FusionAuth for my app in an cross-domain iframe?
Thanks and sorry for the long post.