1

I’m building an SPA app, and am using IdentityServer4 for the authentication. I’m using the new api authorization template found in .net core 3.0 for angular.

The template tries to authenticate first using an iFrame, if it fails it tries using a popup, if it fails it tries using redirects. My question is, can i rely only on the silent authentication using the iframe, without a backup method. I mean the iframe is supported in all browsers, and should work on all devices, why would i implement the popup or the redirect flow ?

Yehia A.Salam
  • 1,987
  • 7
  • 44
  • 93

1 Answers1

1

The iframe method will only work if the user already has a session on the IDP and if any max age conditions are satisfied.

If interactive authentication is needed then a redirect will be necessary.

mackie
  • 4,996
  • 1
  • 17
  • 17
  • There are also issued that certain browsers like firefox are blocking silent auth requests to an iframe. Could be beneficial to your answer. – Vidmantas Blazevicius Sep 15 '19 at 00:18
  • @VidmantasBlazevicius i think that might be related to SameSite being set on the auth cookie. I have had it reported in FF and iOS Chrome though. If the browser is behaving according to spec then it should work provided the auth cookie for your identity server is not same to SameSite = Lax or Strict. – mackie Sep 15 '19 at 11:41