问题
I am working on a project where it has two different solutions. "https://example.com" and inside that We have used to display pages of different project say "https://example123.com".
I have implemented Azure AD authentication on "https://example123.com" project. So once it hits that url, AzureAD page shows up for authentication.
Now I required to work the same authentication thing inside example.com which is using iframe to connect to project example123.com but getting issue - login.microsoftonline.com refused to connect.
Also on console i am getting error as - Refused to display 'https://login.microsoftonline.com/......' in a frame because it set 'X-Frame-Options' to 'deny'.
Please help on this. Thanks in advance.
回答1:
Pretty much every Authorization Server login screen will refuse to render on an iframe by default, as a protection against clickjacking. So redirecting on an iframe will not work. There may be a way to allow this in Azure but I kind of doubt it.
Not sure if there is a solution in sight for you, and it is not a simple thing you are asking for. As a general rule you need to design for security early. A couple of possibilities:
PART 1
Make your hosting domains compatible along these lines, so that cookies or tokens (what ever you are using) can potentially be shared between the apps:
- https://web.mycompany.com/app1
- https://web.mycompany.com/app2
PART 2
Define an interface within the inner (iframe) app for dealing with logins. When the inner app detects that it is running in an iframe it needs to use an implementation that asks the main (host) app to perform things like login redirects on its behalf.
You may then need to issue a cookie across the 2 apps (with a site wide scope) or use the postMessage API to send tokens back to the iframe app (and there are potential security risks with this).
来源:https://stackoverflow.com/questions/63155081/refused-to-display-login-microsoftonline-com-in-iframe-in-asp-net-mvc-app