Session is not restored properly inside of an iframe

[NoelDeMartin]

Search terms you've used

iframe

Impacted package

Which packages do you think might be impacted by the bug ?

• solid-client-authn-browser
• solid-client-authn-node
• solid-client-authn-core
• oidc-client-ext
• Other (please specify): ...

Bug description

An app running inside of an iframe won't restore the session properly, because the callback url is sent to the parent window instead.

To Reproduce

It would take me some time to create a small reproduction, and I think the issue is clear enough. It it isn't, let me know and I'll provide the reproduction.

Expected result

I expect the library to restore the session properly even if running inside of an iframe.

Actual result

The library does not restore the session properly and sends the callback url to the parent window.

Environment

I don't think my environment is relevant to this issue.

Additional information

So far you may be wondering why do I even need to run the library inside of an iframe. Well, there is a perfectly good explanation, and that is that I use Cypress :). Cypress is an automated test framework that runs tests in a real browser, and the app is run within an iframe.

So this is not a problem that I will face in production, but it's broken my tests and makes it impossible to use in my development workflow. Although I could see this becoming an issue for some app that does run in an iframe.

[NoelDeMartin]

I just realized this isn't the source of my problem because Cypress is rewriting the frameElement property. I'm dealing with an issue that's very difficult to debug and I was mislead by this; for some reason some of my test runs have the frameElement defined in the app, but others don't. But the issue I'm facing is still happening when it's not defined, so this is not the source.

In any case, I think this could still be an issue in some use-case so I'll leave this open. Feel free to close it if you think that use-case (running apps inside iframes) shouldn't be supported.

[NSeydoux]

I'll have to think twice about it, but I'm afraid running the app in an iframe could be hard to support, at least until we support popup-based login. In the case of a redirection login, many identity providers have content security policies preventing running into iframes to prevent certain attacks.

However, the reason why we were dealing with iframe at all was an experiment for silent refresh, and that wasn't successful, that's why we are now relying on refresh tokens instead, even in the browser (it was only used in node initially). If we were to remove any iframe awareness from the library altogether, and act within an iframe as we do in the main window, do you think that would resolve your issue ? That is, if your identity provider supports it.

[NoelDeMartin]

If we were to remove any iframe awareness from the library altogether, and act within an iframe as we do in the main window, do you think that would resolve your issue ? That is, if your identity provider supports it.

Thanks for the response.

After a while I realized this wasn't the root of my problem because Cypress is faking not being inside of an iframe, so it does work. I'm still not sure what was causing this to happen sparingly, but I'm sure it has nothing to do with the library.

So I don't really have any issues now, I just let this open in case it was a problem for someone else. But if you think running apps inside of an iframe is not within the scope of the library, feel free to close the issue. I don't really have a real use-case at the moment.

[NSeydoux]

If it were a use case, it would not work with the library as it is built at the moment for the reasons described (shortly) in this issue, so let's keep it open for the time being :)