BrettP.40706 (Customer) asked a question.
Are there any supported and secure methods to authenticate within an iframe?
The documentation and help threads here indicate that there is currently no supported, secure method to authenticate with Okta using an iframe. Here is what I've found:
- Okta sets the header X-Frame-Options: SAMEORIGIN, which disallows the page that sets the Okta session cookie to be embedded in an iframe.
- You can enable the "IFrame embedded" option in Okta's admin -> Settings -> Customization, which disables the X-Frame-Options header, but is deprecated and removes protection against clickjacking.
- Using the Okta Auth SDK (currently broken? 404 for the SDK JS URL) or the Login Widget and setting up CORS does not help because the session cookie URL does not honor the CORS setting -- It doesn't set the Access-Control-Allow-Origin header.
- An old hack (https://support.okta.com/help/answers?id=906F0000000XZCXIA4) to set an image tag's src attribute to the session cookie URL fails on most modern browsers.
Would be nice to have the answer here for all. How is this accomplished? Bullet 2 about some Customization flag doesn't appear to be around any longer.
Chiming in here to echo Matt's sentiment as well. If this is indeed a supported feature that simply needs to be enabled by an account admin or developed via custom solution - that's fine. But that should be easily knowable so we can move on to making the determination about whether to pursue the custom solution or shelve the effort.
@BrettP.40706 (Customer) can you share with us what was the answer received from support? it can be useful also for other customers. Thanks