search

IdentityServer / IdentityServer3.Samples

Samples for IdentityServer v3
Apache License 2.0
610 stars 1.25k forks source link

X-Frame-Options: SAMEORIGIN error when using the OAuthJS sample #75

Closed devlz303 closed 9 years ago

devlz303 commented 9 years ago

I have copied the OAuthJS sample code to test my IdentityServer with a SPA client (from https://github.com/IdentityServer/Thinktecture.IdentityServer3.Samples/tree/master/source/OAuthJS). Retrieving an access token is working fine, and the call to my Web API is also working like it should.

I also enabled the silent_renew options, but somehow this is not working. In the console log I see the message: token is about to expire And then an error occurs: Refused to display 'https://localhost:44324/identity/connect/authorize?rest_of_the_long_querystring' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.

The identityserver is running on another host (port), so it's true the request is not from the same origin. I've tried to set X-Frame-Options header in IdentityServer (web.config), but now I end up with multiple X-Frame-Options headers. The SAMEORIGIN header is forced by IdentityServer (by the SecurityHeadersAttribute).

Is there something I can do to make it work?

Thanks!

brockallen commented 9 years ago

It's because your user is not logged in, a html page is being displayed, and the XFO is kicking in. For the silent renew to work, your user has to have marked "remember my consent".

devlz303 commented 9 years ago

Thanks for pointing me in the right direction. There was another problem, but your comment "a html page is being displayed" made me look into the actual response in Fiddler. The problem was I did not add the url for the frame.html to the redirecturi's for this client, which resulted in: The client application is not known or is not authorized. After I added the redirecturi, the client was known resulting in a response with tokens.

There was another problem I ran into. To test the silent renew I had set the AccessTokenLifetime to 60 seconds. But the clientside tokenmanager is fetching a new token 60 seconds before the old token expires. So after fetching a new token, the tokenmanager would trigger a new fetch. After chaning the AccessTokenLifetime setting to 120 seconds all was fine.

Kind regards!

devlz303 commented 9 years ago

Oh, and I forgot to mention: it wasn't needed to mark remember my consent to make te silent renew work.

brockallen commented 9 years ago

If you've disabled consent in the server, then that avoids the prompt as well.