iFrames do not currently work well in certain OAuth workflows (as documented in release notes), consider alternative workflows (embed login widget, dpop, etc) #2885
I want to call FusionAuth for login, but I want to "retain my user context, current page" (no redirects)
Solution
iFrames are commonly employed, but these are being deprecated across browsers as an insecure workflow. Consider alternative workflows to allow a user to complete login "behind the scenes"
Alternatives/workarounds
Redirect to the authorization server in the browser (we designed this to be the default workflow for the OAuth2 Workflow).
Additional context
iFrames are particularly problematic in version 1.50.0
If you are using IFRAMEs to access the FusionAuth hosted login pages please check that the IFRAME src is from the same domain as the FusionAuth pages.
FusionAuth uses cookies to manage user state with the SameSite attribute set to Lax or Strict. Browsers will block Set-Cookie headers on cross-domain requests.
This release introduces a new redirect into the OAuth flows to /oauth2/consent as part of the OAuth Scopes feature. This redirect will occur during each browser-based interactive OAuth workflow. Prior to this version it was possible to complete an OAuth code grant flow without cookies being set as long as there were no additional redirects to FusionAuth before the final redirect to the configured redirect_url . As a result it did not matter if the Set-Cookie headers were blocked. The redirect with the code would still work.
However, in this version the browser will not be able to send the FusionAuth cookies required to maintain user state along with the redirect to /oauth2/consent and the login flow will fail. The user will be redirected back to /oauth2/authorize and will be unable to log in.
Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.
Problem
I want to call FusionAuth for login, but I want to "retain my user context, current page" (no redirects)
Solution
iFrames are commonly employed, but these are being deprecated across browsers as an insecure workflow. Consider alternative workflows to allow a user to complete login "behind the scenes"
Alternatives/workarounds
Redirect to the authorization server in the browser (we designed this to be the default workflow for the OAuth2 Workflow).
Additional context
iFrames are particularly problematic in version 1.50.0
Related
Prompt - https://github.com/FusionAuth/fusionauth-issues/issues/2208 DPoP - https://github.com/FusionAuth/fusionauth-issues/issues/1679 mTLs - https://github.com/FusionAuth/fusionauth-issues/issues/1025
Community guidelines
All issues filed in this repository must abide by the FusionAuth community guidelines.
How to vote
Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.