<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content

3sylm (3sylm) asked a question.

CSP policies not behaving as documented for iframe embedding (and therefore not working)

I have a server side app that authenticates to okta with a user flow.

I want this app embedded via an iframe from other apps. The auth flow when accessing the app directly works as expected but via the iframe it just gets stuck in an auth loop after entering login credentials.

 

I have setup iframe trusted origin to my app, setup correct redirect urls, added all the relevant cors headers (samesite=none) but nothing has helped.

 

I noticed 2 possible issues...

1) okta sends back cookies with Samesite=lax and not samesite=none - given the different domains between the calling app (ie the iframe) and the authenticating app (within the iframe) is this not going to be an issue - and I dont see how I can change it.

2) Probably more of an issue... the article below says that if iframe is enabled in customizations then trusted origin iframe urls will show up as content-security-policy-report-only headers and not content-security-policy headers.

This is exactly what I am seeing except that I have iframe customizations disabled and all my urls added as iframe trusted origin. I believe this is causing the cookie to not be saved via the iframe and ending up in a circular auth loop.

 

This is the document I am referring to

https://support.okta.com/help/s/article/frequently-asked-questions-and-known-issues-with-trusted-origins-for-iframe-embedding?language=en_US

 

Would greatly appreciate any help

Thanks

 

 


  • Hi @3sylm (3sylm)​ , Thank you for reaching out to the Okta Community! 

     

    This question is more appropriate for our dedicated Okta Developer Forum.

    My advice would be to reach out via devforum.okta.com to take advantage of their expertise.

    While we'll do our best to answer all of your questions here, this medium is more inclined towards Okta core products and features (non-custom/developer work). 

     

     

    Regards.

    --

    Help others in the community by liking or hitting Select as Best if this response helped you.

    Expand Post
This question is closed.
Loading
CSP policies not behaving as documented for iframe embedding (and therefore not working)