Are there any supported and secure methods to authenticate within an iframe? Skip to main content
https://support.okta.com/help/answers?id=9062a000000xzy2qag&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Brett ProfittBrett Profitt 

Are there any supported and secure methods to authenticate within an iframe?

The documentation and help threads here indicate that there is currently no supported, secure method to authenticate with Okta using an iframe. Here is what I've found:
  • Okta sets the header X-Frame-Options: SAMEORIGIN, which disallows the page that sets the Okta session cookie to be embedded in an iframe. 
  • You can enable the "IFrame embedded" option in Okta's admin -> Settings -> Customization, which disables the X-Frame-Options header, but is deprecated and removes protection against clickjacking.
  • Using the Okta Auth SDK (currently broken? 404 for the SDK JS URL) or the Login Widget and setting up CORS does not help because the session cookie URL does not honor the CORS setting -- It doesn't set the Access-Control-Allow-Origin header.
  • An old hack (https://support.okta.com/help/answers?id=906F0000000XZCXIA4) to set an image tag's src attribute to the session cookie URL fails on most modern browsers.
I have temporarily overcome this issue by using a popup window for authentication, but this is inelegant and intrusive to the user experience. 

How can I securely authenticate within an iframe?
Why isn't the CORS setting correctly applied to the session cookie URL?
 
Chris HancockChris Hancock (Okta, Inc.)
Hi Brett, 

Thank you for posting your question, unfortunately there are several aspects you have raised in this post that would be better supported via a support ticket. Would you be able to raise your issue via the Open a Case button on the Okta Help centre (https://support.okta.com/help)

Thanks!