Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Azure AD Owin with Iframe solution

I have a app which is setup to use Owin and Azure AD. It works well, but I have now a requirement to run inside an iframe as part of a third party solution.

This is OK apart from the security. https://login.microsoftonline.com does not allow running inside an iframe. My controller will check if the user is authenticated and if not, call 'HttpContext.GetOwinContext().Authentication.Challenge(..............'

On research it looks unlikely that I can do anything inside the frame. Is my only option to create a sign-in page, which redirects to the client app which includes the iframe? If this expires, the iframe then currently displays an error stating the content cannot be displayed in a frame, this is not very elegant.

like image 792
Steve Newton Avatar asked Oct 01 '16 08:10

Steve Newton


1 Answers

AAD does not permit framing of pages where credentials are entered. This requirements stems from a need to prevent click jacking style attacks. See: https://www.owasp.org/index.php/Clickjacking. Instead, you can do a full frame authentication initially and then do I frame authentication with prompt=none to refresh the ticket. Prompt=none tells AAD that it is not permitted to stop and ask for credentials, so this flow will always work in an iframe.

like image 115
Will B Avatar answered Oct 12 '22 20:10

Will B