How to securely authenticate cross-domains in an iframe (excluding third-party cookies)?

Question

It implements a PHP / Vue.js based project that allows clients to embed our service in an iframe window.

The security of third party cookies, they have become increasingly restrictive in recent years. There was a problem with user authorization, especially in Safari.

How to provide information about an authorized user and enable its authentication on a service embedded in an iframe to ensure its security. And so that the user is still authenticated after reloading the page.

Did you ever find a solution to this? – Tafel Feb 05 '21 at 09:59 — Tafel, Feb 05 '21 at 09:59

score 0 · Answer 1 · answered Mar 02 '21 at 11:10

To authenticate the user from a third-party service, you must use OAuth2 or SAML2 protocol.

Use iFrame to authenticate the user can be attacked with a man-in-the-middle attack. Ex: https://thepaypers.com/digital-identity-security-online-fraud/man-in-the-middle-breach-targets-iframe--764906

The authentication provider must define the X-Frame-Options to avoid the clickjacking attack. See: https://developer.mozilla.org/fr/docs/Web/HTTP/Headers/X-Frame-Options

How to securely authenticate cross-domains in an iframe (excluding third-party cookies)?

1 Answers1