A (SharePoint Online) page has an iframe to a .NET MVC application. The MVC application lives in a separate domain. Both SharePoint Online and MVC app use AAD and allow access for the same users (AAD tenant)
Now when a user opens the SharePoint page (in Windows 7) the iframe fails to redirect user to the AAD login page (because this is disallowed - see OAuth not working inside an iframe or https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-23#section-10.13)
After unsuccessful googling I decided to play around with this a bit and came up with something that works but is ugly:
- User signs in to SharePoint. The iframe on page is hidden
- JavaScript (jquery) on page makes a jsonp call to the MVC app
If the call succeeds we show the iframe and are happy
- If the call fails we redirect user to an MVC page (full redirect). We carry the current url in querystring
- User authenticates against AAD
- MVC page redirects user back to our SharePoint Online page
Now iframe successfully shows content and we are happy, except that the above solution has a lot of code to maintain:
- JavaScript redirect logic
- jsonp request (error handling not so straightforward. Actually this is timeout based)
- extra MVC action to redirect user back
- unoptimal ux (some waiting and redirects. Back button would cause trouble)
What would be a better solution or how these things are typically solved?
(another question would be why my home PC seems to show iframe content after only signing in once to SharePoint online)
