IdentityServer antiforgery token bypass
I have an Identity Server instance. One of the application need's to render an identity server pages (login, forgot password, 2fa window, etc.) in the iframe. The problem is that I use an anti-forgery token that prevents all calls since the URL differs.
So I'm thinking about having something like a white list of domains that can bypass forgery token validation.
Are there any built-in solutions for that? Or would appreciate advice about how to implement this logic.
3 Replies
Thats probably a bad idea, why does this need an iframe?
Its common to redirect with is to login
This is a legacy application. And they want to use one of our apps inside their app, and that app requires authentication from our identity server.
Yes, I agree. This is a terrible idea, but this is a requirement from the customer.
you can't share cookies between apps using iframes, x-frame-options might be able to help though
you'll probably still need to deal with having to login a few times
you might be able to add the other domain to the cookie on your identity server, if that's an option
or maybe your site