I have a app which is setup to use Owin and Azure AD. It works well, but I have now a requirement to run inside an iframe as part of a third party solution.
This is OK apart from the security. https://login.microsoftonline.com does not allow running inside an iframe. My controller will check if the user is authenticated and if not, call 'HttpContext.GetOwinContext().Authentication.Challenge(..............'
On research it looks unlikely that I can do anything inside the frame. Is my only option to create a sign-in page, which redirects to the client app which includes the iframe? If this expires, the iframe then currently displays an error stating the content cannot be displayed in a frame, this is not very elegant.
AAD does not permit framing of pages where credentials are entered. This requirements stems from a need to prevent click jacking style attacks. See: https://www.owasp.org/index.php/Clickjacking. Instead, you can do a full frame authentication initially and then do I frame authentication with prompt=none to refresh the ticket. Prompt=none tells AAD that it is not permitted to stop and ask for credentials, so this flow will always work in an iframe.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With