How to achieve authentication in an iframe

I have a setup where I have a parent window in my browser running on a domain for which I set up an oauth2 client with hydra and have an authenticated session.
In the parent window I want to display an iframe whose content comes from a different domain but should be authenticated by hydra as well. Both domains are ours.

My first idea was to create an oauth2 client with hydra for the iframe’s domain and do an authorization code flow on that domain. If I am authenticated in the parent domain, hydra would know and I could skip the verification and consent in the iframes domain. Just, this does not work in an iframe. The reason seems to be that it is not possible to set a cookie in an iframe.

What would work is to quickly redirect to the iframes domain with the parent browser tab, do the auth flow, which sets the cookie in the browser on the iframe’s domain and the go back and load the iframe. The iframe can then see the cookie. This is however undesirable because we have a single page app and would loose all front end state in the process.

Maybe I can get an access token from hydra with the parent domain and pass it down in the GET request in the iframe. However I don’t understand the security issues I create when passing around access_tokens like that.

I also thought about a different approach using traffik to do some fancy routing within one domain, but this kind of architecture has some other issues with my setup.

I’m out of ideas how to address my problem. If anyone could point me in the right direction here, this would be great.

If I had to guess, it is likely more an issue of third party cookies being blocked. Check how your cookie is set and specifically if you have “SameSite” and “Secure” params (and read more about what is the magic combination that would work for your use case)

Could you use subdomains of a same parent domain? It’s easier to convince the browser to share cookies between subdomains than between two different domains.

If you need to pass things between the parent and the iframe, postMessage works fine in pretty much every modern browser.

I don’t fully understand either the security implications, not even sure the token isn’t already pegged to a specific domain.

2 Likes