I have a setup where I have a parent window in my browser running on a domain for which I set up an oauth2 client with hydra and have an authenticated session.
In the parent window I want to display an iframe whose content comes from a different domain but should be authenticated by hydra as well. Both domains are ours.
My first idea was to create an oauth2 client with hydra for the iframe’s domain and do an authorization code flow on that domain. If I am authenticated in the parent domain, hydra would know and I could skip the verification and consent in the iframes domain. Just, this does not work in an iframe. The reason seems to be that it is not possible to set a cookie in an iframe.
What would work is to quickly redirect to the iframes domain with the parent browser tab, do the auth flow, which sets the cookie in the browser on the iframe’s domain and the go back and load the iframe. The iframe can then see the cookie. This is however undesirable because we have a single page app and would loose all front end state in the process.
Maybe I can get an access token from hydra with the parent domain and pass it down in the GET request in the iframe. However I don’t understand the security issues I create when passing around access_tokens like that.
I also thought about a different approach using traffik to do some fancy routing within one domain, but this kind of architecture has some other issues with my setup.
I’m out of ideas how to address my problem. If anyone could point me in the right direction here, this would be great.