Running into x-frame-options issues when running sample Azure AD B2C auth code
up vote
0
down vote
favorite
I am trying to run Microsoft's sample code for implementing Azure AD B2C authentication.
The codebase can be found here:
https://github.com/Azure-Samples/active-directory-b2c-javascript-msal-singlepageapp/blob/master/index.html
I modified the code so as shown in the following gist. The main change is that instead of using the Msal.UserAgentApplication object's loginPopup() method, I am using loginRedirect() (for the better user experience)
https://gist.github.com/ttchuah/6718e268a235a3206968b36d748fd369
Here is what happens when I run the code.
- I see the index.html page as expected.
- I click the login button, get redirected to the Microsoft login page, where I can see the option to do a social login via Google.
- I log in through Google and get redirected back to my index.html page.
At this point, the "authCallback()" function fires.
In Chrome, I get the following console error. Any ideas why?
Refused to display 'https://accounts.google.com/o/oauth2/auth?client_id=903295266285-78au30g3bsmt8q1phvfqqu65c58kp35i.apps.googleusercontent.com&redirect_uri=https%3a%2f%2flogin.microsoftonline.com%2fte%2fdv0dop000devaad000.onmicrosoft.com%2foauth2%2fauthresp&response_type=code&scope=email+profile&state=StateProperties%3deyJTSUQiOiJ4LW1zLWNwaW0tcmM6OGM1YTQwNDQtNGYyYi00ZTJmLTgyMmUtYjU2ZjRkMWU4ZWU2IiwiVElEIjoiMDBmZjUzOTctNjYxZC00NDY4LWFlODktNzlkOThlMmEwMzI0In0' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
The same error does not happen in FireFox or Safari. For those browsers, I am able to get an auth token back without issue.
azure authentication azure-ad-b2c msal x-frame-options asked Nov 11 at 5:23
mangomagic
165
add a comment |
up vote
0
down vote
favorite
I am trying to run Microsoft's sample code for implementing Azure AD B2C authentication.
The codebase can be found here:
https://github.com/Azure-Samples/active-directory-b2c-javascript-msal-singlepageapp/blob/master/index.html
I modified the code so as shown in the following gist. The main change is that instead of using the Msal.UserAgentApplication object's loginPopup() method, I am using loginRedirect() (for the better user experience)
https://gist.github.com/ttchuah/6718e268a235a3206968b36d748fd369
Here is what happens when I run the code.
- I see the index.html page as expected.
- I click the login button, get redirected to the Microsoft login page, where I can see the option to do a social login via Google.
- I log in through Google and get redirected back to my index.html page.
At this point, the "authCallback()" function fires.
In Chrome, I get the following console error. Any ideas why?
Refused to display 'https://accounts.google.com/o/oauth2/auth?client_id=903295266285-78au30g3bsmt8q1phvfqqu65c58kp35i.apps.googleusercontent.com&redirect_uri=https%3a%2f%2flogin.microsoftonline.com%2fte%2fdv0dop000devaad000.onmicrosoft.com%2foauth2%2fauthresp&response_type=code&scope=email+profile&state=StateProperties%3deyJTSUQiOiJ4LW1zLWNwaW0tcmM6OGM1YTQwNDQtNGYyYi00ZTJmLTgyMmUtYjU2ZjRkMWU4ZWU2IiwiVElEIjoiMDBmZjUzOTctNjYxZC00NDY4LWFlODktNzlkOThlMmEwMzI0In0' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
The same error does not happen in FireFox or Safari. For those browsers, I am able to get an auth token back without issue.
azure authentication azure-ad-b2c msal x-frame-options asked Nov 11 at 5:23
mangomagic
165
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I am trying to run Microsoft's sample code for implementing Azure AD B2C authentication.
The codebase can be found here:
https://github.com/Azure-Samples/active-directory-b2c-javascript-msal-singlepageapp/blob/master/index.html
I modified the code so as shown in the following gist. The main change is that instead of using the Msal.UserAgentApplication object's loginPopup() method, I am using loginRedirect() (for the better user experience)
https://gist.github.com/ttchuah/6718e268a235a3206968b36d748fd369
Here is what happens when I run the code.
- I see the index.html page as expected.
- I click the login button, get redirected to the Microsoft login page, where I can see the option to do a social login via Google.
- I log in through Google and get redirected back to my index.html page.
At this point, the "authCallback()" function fires.
In Chrome, I get the following console error. Any ideas why?
Refused to display 'https://accounts.google.com/o/oauth2/auth?client_id=903295266285-78au30g3bsmt8q1phvfqqu65c58kp35i.apps.googleusercontent.com&redirect_uri=https%3a%2f%2flogin.microsoftonline.com%2fte%2fdv0dop000devaad000.onmicrosoft.com%2foauth2%2fauthresp&response_type=code&scope=email+profile&state=StateProperties%3deyJTSUQiOiJ4LW1zLWNwaW0tcmM6OGM1YTQwNDQtNGYyYi00ZTJmLTgyMmUtYjU2ZjRkMWU4ZWU2IiwiVElEIjoiMDBmZjUzOTctNjYxZC00NDY4LWFlODktNzlkOThlMmEwMzI0In0' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
The same error does not happen in FireFox or Safari. For those browsers, I am able to get an auth token back without issue.
azure authentication azure-ad-b2c msal x-frame-options asked Nov 11 at 5:23
mangomagic
165
I am trying to run Microsoft's sample code for implementing Azure AD B2C authentication.
The codebase can be found here:
https://github.com/Azure-Samples/active-directory-b2c-javascript-msal-singlepageapp/blob/master/index.html
I modified the code so as shown in the following gist. The main change is that instead of using the Msal.UserAgentApplication object's loginPopup() method, I am using loginRedirect() (for the better user experience)
https://gist.github.com/ttchuah/6718e268a235a3206968b36d748fd369
Here is what happens when I run the code.
- I see the index.html page as expected.
- I click the login button, get redirected to the Microsoft login page, where I can see the option to do a social login via Google.
- I log in through Google and get redirected back to my index.html page.
At this point, the "authCallback()" function fires.
In Chrome, I get the following console error. Any ideas why?
Refused to display 'https://accounts.google.com/o/oauth2/auth?client_id=903295266285-78au30g3bsmt8q1phvfqqu65c58kp35i.apps.googleusercontent.com&redirect_uri=https%3a%2f%2flogin.microsoftonline.com%2fte%2fdv0dop000devaad000.onmicrosoft.com%2foauth2%2fauthresp&response_type=code&scope=email+profile&state=StateProperties%3deyJTSUQiOiJ4LW1zLWNwaW0tcmM6OGM1YTQwNDQtNGYyYi00ZTJmLTgyMmUtYjU2ZjRkMWU4ZWU2IiwiVElEIjoiMDBmZjUzOTctNjYxZC00NDY4LWFlODktNzlkOThlMmEwMzI0In0' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
The same error does not happen in FireFox or Safari. For those browsers, I am able to get an auth token back without issue.
azure authentication azure-ad-b2c msal x-frame-options azure authentication azure-ad-b2c msal x-frame-options asked Nov 11 at 5:23
mangomagic
165
asked Nov 11 at 5:23
mangomagic
165
asked Nov 11 at 5:23
mangomagic
165
asked Nov 11 at 5:23
mangomagic
165
asked Nov 11 at 5:23
mangomagic
165
165
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
up vote
0
down vote
accepted
The X-Frame-Options header is a security measurement against clickjacking, the thing is, not all browsers have an implementation that takes that header into consideration when processing a returned response (see X-Frame-Options on MDN).
Long story short, Chrome will block any response processing that doesn't have a matching allow-from value in the X-Frame-Options header from rendering in a frame, iframe or object element.
Hope it helps!
answered Nov 11 at 6:12
Itay Podhajcer
1,067212
Thanks. Any idea why Firefox and Safari wouldn't have the same sort of response blocking that Chrome does?
– mangomagic
Nov 12 at 18:53
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
accepted
The X-Frame-Options header is a security measurement against clickjacking, the thing is, not all browsers have an implementation that takes that header into consideration when processing a returned response (see X-Frame-Options on MDN).
Long story short, Chrome will block any response processing that doesn't have a matching allow-from value in the X-Frame-Options header from rendering in a frame, iframe or object element.
Hope it helps!
answered Nov 11 at 6:12
Itay Podhajcer
1,067212
Thanks. Any idea why Firefox and Safari wouldn't have the same sort of response blocking that Chrome does?
– mangomagic
Nov 12 at 18:53
add a comment |
up vote
0
down vote
accepted
The X-Frame-Options header is a security measurement against clickjacking, the thing is, not all browsers have an implementation that takes that header into consideration when processing a returned response (see X-Frame-Options on MDN).
Long story short, Chrome will block any response processing that doesn't have a matching allow-from value in the X-Frame-Options header from rendering in a frame, iframe or object element.
Hope it helps!
answered Nov 11 at 6:12
Itay Podhajcer
1,067212
Thanks. Any idea why Firefox and Safari wouldn't have the same sort of response blocking that Chrome does?
– mangomagic
Nov 12 at 18:53
add a comment |
up vote
0
down vote
accepted
up vote
0
down vote
accepted
The X-Frame-Options header is a security measurement against clickjacking, the thing is, not all browsers have an implementation that takes that header into consideration when processing a returned response (see X-Frame-Options on MDN).
Long story short, Chrome will block any response processing that doesn't have a matching allow-from value in the X-Frame-Options header from rendering in a frame, iframe or object element.
Hope it helps!
answered Nov 11 at 6:12
Itay Podhajcer
1,067212
The X-Frame-Options header is a security measurement against clickjacking, the thing is, not all browsers have an implementation that takes that header into consideration when processing a returned response (see X-Frame-Options on MDN).
Long story short, Chrome will block any response processing that doesn't have a matching allow-from value in the X-Frame-Options header from rendering in a frame, iframe or object element.
Hope it helps!
answered Nov 11 at 6:12
Itay Podhajcer
1,067212
answered Nov 11 at 6:12
Itay Podhajcer
1,067212
answered Nov 11 at 6:12
Itay Podhajcer
1,067212
answered Nov 11 at 6:12
Itay Podhajcer
1,067212
1,067212
Thanks. Any idea why Firefox and Safari wouldn't have the same sort of response blocking that Chrome does?
– mangomagic
Nov 12 at 18:53
add a comment |
Thanks. Any idea why Firefox and Safari wouldn't have the same sort of response blocking that Chrome does?
– mangomagic
Nov 12 at 18:53
Thanks. Any idea why Firefox and Safari wouldn't have the same sort of response blocking that Chrome does?
– mangomagic
Nov 12 at 18:53
Thanks. Any idea why Firefox and Safari wouldn't have the same sort of response blocking that Chrome does?
– mangomagic
Nov 12 at 18:53
add a comment |
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53246074%2frunning-into-x-frame-options-issues-when-running-sample-azure-ad-b2c-auth-code%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
