Skip to main content

Embedding OpenID login page

The login page can be embedded in an <iframe> tag. Use the authentication endpoint’s URL just like when redirecting the user to the page properly.

Example

<html>
<body>
<h1>Please sign in</h1>
<iframe src="https://the-id-server.com/openid/auth?client_id=1111..."></iframe>
</body>
</html>

Content-Security-Policy

The ID server may have the Content Security Policy configured so that web browsers will not allow using the site through an <iframe> tag. The Policy can be configured on the server in the /etc/oneportal/oneportal.conf file.

Who is allowed to embed the ID service is controlled by the frame-ancestors policy.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors

Allow everything

In this example frame-ancestors value is * meaning that any site can embed the site.

http.content-security-policy=default-src 'self' 'unsafe-inline' 'unsafe-eval'; \
    img-src *; \
    frame-src *; \
    frame-ancestors *; \
    report-uri /csp-report ;

Allow external site to embed

In this example the policy is frame-ancestors https://example.com meaning that any page using https and example.com host can embed the site.

http.content-security-policy=default-src 'self' 'unsafe-inline' 'unsafe-eval'; \
    img-src *; \
    frame-src *; \
    frame-ancestors https://example.com; \
    report-uri /csp-report ;