4

We are trying to embed Autodesk Forge Viewer with access to BIM 360 Team data in our existing app. We are having trouble with executing the 3-Legged authorisation workflow inside an iframe. Our justification for iframe instead of pop-up (window.open()) or redirecting current window (location.assign()) is following:

  1. Redirecting current app window to authorization would disrupt the app workflow. Authorisation on app start is not an option. Viewer could be required at any point in existing workflow or not at all and authorisation should be triggered only just before the Viewer is required.

  2. Opening the authorisation in new window (pop-up) is disabled by default in many (desktop) browsers. Requiring the user to enable pop-ups is an option though definitely not user-friendly. Furthermore, multi-window browsing in mobile environments is not always implemented (e.g. in in-app browsers), making this not-an-option.

Authorisation in an iframe would overcome these shortcomings while providing easy, unobtrusive and consistent user experience.

We are following the workflow as described in here and here. The login page (2nd link > step 1 > 1st picture) displays fine in the iframe and the user is able to enter his/her Autodesk ID credentials. After that the user is redirected to the OAuth consent page. The consent page (2nd link > step 1 > 2nd picture) is served with header X-Frame-Options: SAMEORIGIN which in an iframe obviously fails to load: Refused to display 'https://auth.autodesk.com/as/NH3Mc/resume/as/authorization.ping?opentoken=...' in a frame because it set 'X-Frame-Options' to 'deny'. However, if the user has consented beforehand (e.g. in a separate window) the consent page is skipped and user is immediately redirected to the provided callback uri along with the authorisation code as desired (response code 302 Found, header Location: callback uri + code).

This raises the question if the X-Frame-Options: SAMEORIGIN is by-design and deliberate? What is the benefit in this scenario to disable OAuth consent page in iframe while allowing login page? Would it somehow be possible to disable the header or add an exception for the origin defined in the Autodesk Forge App as Callback URL?

Are we missing any other options to provide unobtrusive and consistent authorisation that would work on desktop as well as mobile platforms?

Jakob
  • 41
  • 1
  • 3-legged OAuth is disabled in an iframe for security reasons. I don't think you can do much about it at the moment. You should use a redirection. I understand that it can be disruptive but it is the best way to do it. – Felipe Jun 01 '17 at 13:26
  • @PhilippeLeefsma Could you please elaborate or point me in the right direction why the consent page is more security sensitive than the login page. As of now the login page works just fine in an iframe so the user is able to authenticate with his/her Autodesk ID credentials (and if the user has provided consent previously then the authorization part is skipped and user is redirected to the callback url with authorization code). Shouldn't then the whole process be disabled in iframe? – Jakob Jun 01 '17 at 15:33
  • Have you solved your problem yet, Jakob? I have the same problem now. Have you found a work-around? – Andreas Jul 10 '17 at 13:03
  • @AndreasLackner Unfortunately no, we haven't found a good solution and I don't think there is much we can do unless Autodesk will change their policy. – Jakob Jul 28 '17 at 07:05

0 Answers0