Are there any supported and secure methods to authenticate within an iframe?
The documentation and help threads here indicate that there is currently no supported, secure method to authenticate with Okta using an iframe. Here is what I've found:
Okta sets the header X-Frame-Options: SAMEORIGIN, which disallows the page that sets the Okta session cookie to be embedded in an iframe.
You can enable the "IFrame embedded" option in Okta's admin -> Settings -> Customization, which disables the X-Frame-Options header, but is deprecated and removes protection against clickjacking.
Using the Okta Auth SDK (currently broken? 404 for the SDK JS URL) or the Login Widget and setting up CORS does not help because the session cookie URL does not honor the CORS setting -- It doesn't set the Access-Control-Allow-Origin header.
Thank you for posting your question, unfortunately there are several aspects you have raised in this post that would be better supported via a support ticket. Would you be able to raise your issue via the Open a Case button on the Okta Help centre (https://support.okta.com/help)