concurrent end user authentication #1177
shayannyc25
started this conversation in
General
Replies: 1 comment
-
|
authentication should not be done in iframes and should have be prevented by the default settings, see: https://github.com/OpenIDC/mod_auth_openidc/wiki/Sessions-and-Timeouts#single-page-applications |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
hi
we have a use case that a certain mod auth oidc protected spa is accessed concurrently in 2 or more iframes and ifarmes all hosted in one parent page .
All the iframes are using the same url basically and all the spa urls are protected by the same mod auth odic plugin and will share the same mod auth oidc cookie (as the host part of the url is the same).
when the parent page containing the iframes load, then it starts loading all the iframes need to be loaded. As this is the first time user is accessing the spa ,user needs to be authenticated first . This causes mod auth oidc to redirect the the calls to spa in each iframe to our auth provider first in order to authenticate the user .
Issue we are facing is that the call from the first iframe to hit mod auth oidc will result in successful authentication process (call is redirected to auth provider, an auth code is sent back and then mod auth exchanges that with access token and sends back a new mod auth oidc cookie) and user is redirected by mod auth oidc to the url requested by first iframe. However, as these iframes are all basically loading in parallel, this is triggering concurrent authentications with our auth provider as the user had not yet authenticated and there is no mod auth oidc cookie . We have noticed that after auth provider sending back the auth code for the auth flow for the OTHER iframes that loaded AFTER the FIRST iframe , mod auth oidc does NOT redirect the user to the requested url (which is url of the iframe) and thus the content in those other iframes do not load.
any idea how to fix or get around this issue?
we can not make the iframes to be loaded serially (i.e we can not wait for fist iframe to load and go through user authentication with our auth provider and get back a mod auth odic cookie and only then now that that we have the mod auth cookie cookie, only then load the other iframes , with cookie being shared with them and their request sending the cookie as part of the call),
Beta Was this translation helpful? Give feedback.
All reactions