Customize x-frame-options header for authentication pages - Githubissues

IdentityServer / IdentityServer3

OpenID Connect Provider and OAuth 2.0 Authorization Server Framework for ASP.NET 4.x/Katana

https://identityserver.github.io/Documentation/

Apache License 2.0

2.01k stars 763 forks source link

Customize x-frame-options header for authentication pages #769

Closed rlinow closed 9 years ago

rlinow commented 9 years ago

Is there any way to customize the X-Frame-Options header for the authentication pages? I would like to allow some of our web applications to embed the login form from the ID server in an iframe.

brockallen commented 9 years ago

Well, we're using the most permissive, yet safe, option which is SAMEORIGIN. There is an ALLOW-FROM option but it's not widely supported: https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options#Browser_compatibility

So this means we can either disable it, which is not recommended, or you can have a login button/link on the client app to login (rather than embedding the login).

rlinow commented 9 years ago

Perhaps there can be an option to check if the referer is from a white-listed host and disable the x-frame-options header under such condition?

brockallen commented 9 years ago

Referrer is unreliable.

brockallen commented 9 years ago

Closing. We'll be able to once browsers have more support (like CSP2 or whatever else comes along to help).

mikkark commented 9 years ago

We followed the OAuthJS sample and implemented refreshing access tokens in a hidden iframe. Since we host identityserver separately from the app(s) that use it for authentication, the SAMEORIGIN does not work for us. Since SAMEORIGIN is now hardcoded into the IdentityServer code I planned creating a global action filter that would replace the existing x-frame-options header with a more permissive one (in combination with CSP headers for browsers that support them but don't support the x-frame-options ALLOW-FROM). However I'm having a really hard time registering a global filter since IdentityServer configures the app behind the scenes so I don't have access to the HttpConfiguration class and the Filters collection. Any clues would be most welcome.

brockallen commented 9 years ago

The hidden iframe works perfectly well if the user has previously given consent. There is no XFO involved, since no HTML is rendered.

mikkark commented 9 years ago

that is so true. It turned out that what I actually got as a response was the HTML of identityserver's error page because of missing redirect uri setting. D'oh! Thanks for a super fast response that led me to the right track :)

brockallen commented 9 years ago

np