Hello, I am building a custom login page for a SPA which uses a backend authentication middleware to obtain a sessionToken. My hope was to use the okta_post_message mechanism with a hidden iframe to set the okta session cookie for my users. It seems though that Okta has stopped allowing iframe embeds (by setting x-frame-options on all responses).
The docs explicitly say in several places that okta_post_message can be used to avoid a redirect. (for example: https://developer.okta.com/docs/guides/session-cookie/overview/#retrieving-a-session-cookie-via-openid-connect-authorization-endpoint)
If not using an iframe, the other two options would be a XHR or a window popup. I don’t imagine anyone will allow popups and the docs for the authroize endpoint explicitly say that XHR is not supported.
So… is there no option to avoid a redirect for a custom login anymore to get an okta session cookie?