You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Apr 9, 2024. It is now read-only.
It's important to know which authentication flow is to be used. There are two main options available, as far as I know: Authorization Code Flow and Implicit Flow, each of which comes with its own caveats. Regardless of each one is used, the iframes shouldn't have any problem with accessing the cookies from the main frame, if everything is running under the same domain name.
In the implicit flow the token will be made available to the client, and thus it is slightly less secure. The advantage is that it doesn't require a server-side component. It's probably worth mentioning that this feature of B2C is currently in preview mode.
For the authorization_code flow, there needs to be a server-side component which is rendering the index page, for each context. This can be a simple node.js express server which is handling the authentication, prior to rendering the index page. The node.js server will store the token in the session and only expose a session cookie, which will also be available to the other context running in an iframe.
Another important requirement for the authorization_code flow is a session store, such as Redis. This is needed to be able to share the session data with the other iframes.
From a client-side perspective, the implicit flow is probably a more straightforward way of accomplishing this, but I'm not sure how suitable for running in production this flow is in B2C. Some more investigation is probably needed into this aspect.
With a composition of iFrames - we need to be able to log in from a outer most place and have the JWT token available throughout.
All iframes should have access to the token - either through a cookie or something else.
Another important aspect is the authorisation part. Every respective iframe needs to deal with this.
This is somewhat indirectly related to: #327, #328 and #31
The text was updated successfully, but these errors were encountered: