IdentityModel.OidcClient connect/authorize/callback issue when flow starts from iframe

[diegobergamo]

I have set up an identityserver4 ( started from the QuickStart official template ) that interact with angular front-end UI to enable auth. All the flow works as expected, ending in a redirect to IdentityModel.OidcClient's api http://is4url:is4port/connect/authorize/callback?client_id=XXXXXXXXXXX that materializes the required jwt token in session and then redirect to the original ip from which the flow started.

All this scenario breaks if the original ip that starts the flow is embedded in an iframe. In this case, the api http://is4url:is4port/connect/authorize/callback?client_id=XXXXXXXXXXX does not create the token and simply redirect to the login landin page from which he was called.

Any hint on how to address the issue?

[leastprivilege]

For security reasons it is not recommended to allow iframing of the IdP UI. That's what we actively prevent with the security headers filter on the UI pages. Same goes for other commercial IdPs (e.g. Azure, Google etc).

From a functionality point of view, more and more browsers put restrictions on iframes (e.g. blocking cookies). So even if you can get it to work by removing our code, it will probably not work in the future.