[Openid-specs-ab] Issue #1038: RP frame / parent frame communication cross-origin (openid/connect)

Filip Skokan issues-reply at bitbucket.org
Sat Aug 4 13:53:43 UTC 2018

New issue 1038: RP frame / parent frame communication cross-origin

Filip Skokan:

I think it would be useful for client implementers to have the following hint in the Session Management 1.0 specification section 4.1 (RP iframe).

> Note that in deployments with multiple subdomains sharing the same RP session it is important that the parent window and RP iframe both set the same `document.domain` to get around same-origin restrictions. This will allow the RP iframe to target the parent window's embedded OP iframe.


> actors:
> `idp.com` - is the identity provider, offers session management and has an OP frame, uses the redirect_uri Origin to form the session_state  
> `www.rp.com` - is the main client content page that wishes to have users logged in  
> `account.rp.com` - is the client that communicates with `idp.com`, the redirect_uri used is from this domain  
> flow:
> 1) user clicks login on `www.rp.com`  
> 2) `www.rp.com` uses `account.rp.com` to trigger oidc authentication flow  
> 3) user logs in at `idp.com`, idp redirects back to `account.rp.com`  
> 4) `account.rp.com` finishes the auth flow and when finished the second level domain gets a global session set by `account.rp.com` so that `www.rp.com` knows there is a user logged in  
> 5) user gets redirected back to the content at `www.rp.com`  
> 6) `www.rp.com` embeds the OP iframe  
> 7) `www.rp.com` sets `document.domain = 'rp.com';`  
> 8) `www.rp.com` embeds the RP iframe from `account.rp.com` that has the session state  
> 9) the RP frame also sets `document.domain = 'rp.com';`  
> The RP iframe targets the embedded OP iframe now without issues and sends messages with the expected Origin and is able to notify the parent window (`www.rp.com`) about any changes or errors.

More information about the Openid-specs-ab mailing list