ADAL.js does not work in a cross-domain iframe

[qz2017]

We are trying to use adal.js to fetch token for code inside a cross-domain iframe. And it fails.

Basically the host page is on domainA. The iframe is pointing to a page in domainB. The page in domainB is calling ADAL.js to fetch token. Token is fetched fine. But adal code fails at handleWindowCallback because it is checking on window.parent (which is cross-domain). The offending code is at: https://github.com/AzureAD/azure-activedirectory-library-for-js/blob/703e560f26de90fef9ae955529605672242c1f71/lib/adal.js#L1321

Is there a way to work around it by not doing all those window.parent checks?

[navyasric]

Authenticating interactively from an app running in an Iframe is not supported because of security concerns in AAD with clickjacking attacks. Adal.js is not designed to be called by an app from inside an Iframe.

A possible approach is for the application to run as JS served by the host application and use the AAD session established for a user by the host application to achieve SSO. This can be done from Adal.js 1.0.16 by passing the login_hint as a query parameter before acquiring a token silently.

[viimal]

@qz2017, Hi, have you resolved your issue? I am facing the same challenge in our application. Kindly help on this.

[gnanavelum]

why do we even have this code in ADAL when we know for sure it will fail in many browsers and it is a security issue?

(window.parent && window.parent._adalInstance)