I have a server side app that authenticates to okta with a user flow.
I want this app embedded via an iframe from other apps. The auth flow when accessing the app directly works as expected but via the iframe it just gets stuck in an auth loop after entering login credentials.
I have setup iframe trusted origin to my app, setup correct redirect urls, added all the relevant cors headers (samesite=none) but nothing has helped.
I noticed 2 possible issues…
-
okta sends back cookies with Samesite=lax and not samesite=none - given the different domains between the calling app (ie the iframe) and the authenticating app (within the iframe) is this not going to be an issue - and I dont see how I can change it.
-
Probably more of an issue… the article below says that if iframe is enabled in customizations then trusted origin iframe urls will show up as content-security-policy-report-only headers and not content-security-policy headers.
This is exactly what I am seeing except that I have iframe customizations disabled and all my urls added as iframe trusted origin. I believe this is causing the cookie to not be saved via the iframe and ending up in a circular auth loop.
This is the document I am referring to
Would greatly appreciate any help
Thanks