Running into x-frame-options issues when running sample Azure AD B2C auth code
up vote
0
down vote
favorite
I am trying to run Microsoft's sample code for implementing Azure AD B2C authentication.
The codebase can be found here:
https://github.com/Azure-Samples/active-directory-b2c-javascript-msal-singlepageapp/blob/master/index.html
I modified the code so as shown in the following gist. The main change is that instead of using the Msal.UserAgentApplication object's loginPopup() method, I am using loginRedirect() (for the better user experience)
https://gist.github.com/ttchuah/6718e268a235a3206968b36d748fd369
Here is what happens when I run the code.
- I see the index.html page as expected.
- I click the login button, get redirected to the Microsoft login page, where I can see the option to do a social login via Google.
- I log in through Google and get redirected back to my index.html page.
At this point, the "authCallback()" function fires.
In Chrome, I get the following console error. Any ideas why?
Refused to display 'https://accounts.google.com/o/oauth2/auth?client_id=903295266285-78au30g3bsmt8q1phvfqqu65c58kp35i.apps.googleusercontent.com&redirect_uri=https%3a%2f%2flogin.microsoftonline.com%2fte%2fdv0dop000devaad000.onmicrosoft.com%2foauth2%2fauthresp&response_type=code&scope=email+profile&state=StateProperties%3deyJTSUQiOiJ4LW1zLWNwaW0tcmM6OGM1YTQwNDQtNGYyYi00ZTJmLTgyMmUtYjU2ZjRkMWU4ZWU2IiwiVElEIjoiMDBmZjUzOTctNjYxZC00NDY4LWFlODktNzlkOThlMmEwMzI0In0' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
The same error does not happen in FireFox or Safari. For those browsers, I am able to get an auth token back without issue.
azure authentication azure-ad-b2c msal x-frame-options
add a comment |
up vote
0
down vote
favorite
I am trying to run Microsoft's sample code for implementing Azure AD B2C authentication.
The codebase can be found here:
https://github.com/Azure-Samples/active-directory-b2c-javascript-msal-singlepageapp/blob/master/index.html
I modified the code so as shown in the following gist. The main change is that instead of using the Msal.UserAgentApplication object's loginPopup() method, I am using loginRedirect() (for the better user experience)
https://gist.github.com/ttchuah/6718e268a235a3206968b36d748fd369
Here is what happens when I run the code.
- I see the index.html page as expected.
- I click the login button, get redirected to the Microsoft login page, where I can see the option to do a social login via Google.
- I log in through Google and get redirected back to my index.html page.
At this point, the "authCallback()" function fires.
In Chrome, I get the following console error. Any ideas why?
Refused to display 'https://accounts.google.com/o/oauth2/auth?client_id=903295266285-78au30g3bsmt8q1phvfqqu65c58kp35i.apps.googleusercontent.com&redirect_uri=https%3a%2f%2flogin.microsoftonline.com%2fte%2fdv0dop000devaad000.onmicrosoft.com%2foauth2%2fauthresp&response_type=code&scope=email+profile&state=StateProperties%3deyJTSUQiOiJ4LW1zLWNwaW0tcmM6OGM1YTQwNDQtNGYyYi00ZTJmLTgyMmUtYjU2ZjRkMWU4ZWU2IiwiVElEIjoiMDBmZjUzOTctNjYxZC00NDY4LWFlODktNzlkOThlMmEwMzI0In0' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
The same error does not happen in FireFox or Safari. For those browsers, I am able to get an auth token back without issue.
azure authentication azure-ad-b2c msal x-frame-options
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I am trying to run Microsoft's sample code for implementing Azure AD B2C authentication.
The codebase can be found here:
https://github.com/Azure-Samples/active-directory-b2c-javascript-msal-singlepageapp/blob/master/index.html
I modified the code so as shown in the following gist. The main change is that instead of using the Msal.UserAgentApplication object's loginPopup() method, I am using loginRedirect() (for the better user experience)
https://gist.github.com/ttchuah/6718e268a235a3206968b36d748fd369
Here is what happens when I run the code.
- I see the index.html page as expected.
- I click the login button, get redirected to the Microsoft login page, where I can see the option to do a social login via Google.
- I log in through Google and get redirected back to my index.html page.
At this point, the "authCallback()" function fires.
In Chrome, I get the following console error. Any ideas why?
Refused to display 'https://accounts.google.com/o/oauth2/auth?client_id=903295266285-78au30g3bsmt8q1phvfqqu65c58kp35i.apps.googleusercontent.com&redirect_uri=https%3a%2f%2flogin.microsoftonline.com%2fte%2fdv0dop000devaad000.onmicrosoft.com%2foauth2%2fauthresp&response_type=code&scope=email+profile&state=StateProperties%3deyJTSUQiOiJ4LW1zLWNwaW0tcmM6OGM1YTQwNDQtNGYyYi00ZTJmLTgyMmUtYjU2ZjRkMWU4ZWU2IiwiVElEIjoiMDBmZjUzOTctNjYxZC00NDY4LWFlODktNzlkOThlMmEwMzI0In0' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
The same error does not happen in FireFox or Safari. For those browsers, I am able to get an auth token back without issue.
azure authentication azure-ad-b2c msal x-frame-options
I am trying to run Microsoft's sample code for implementing Azure AD B2C authentication.
The codebase can be found here:
https://github.com/Azure-Samples/active-directory-b2c-javascript-msal-singlepageapp/blob/master/index.html
I modified the code so as shown in the following gist. The main change is that instead of using the Msal.UserAgentApplication object's loginPopup() method, I am using loginRedirect() (for the better user experience)
https://gist.github.com/ttchuah/6718e268a235a3206968b36d748fd369
Here is what happens when I run the code.
- I see the index.html page as expected.
- I click the login button, get redirected to the Microsoft login page, where I can see the option to do a social login via Google.
- I log in through Google and get redirected back to my index.html page.
At this point, the "authCallback()" function fires.
In Chrome, I get the following console error. Any ideas why?
Refused to display 'https://accounts.google.com/o/oauth2/auth?client_id=903295266285-78au30g3bsmt8q1phvfqqu65c58kp35i.apps.googleusercontent.com&redirect_uri=https%3a%2f%2flogin.microsoftonline.com%2fte%2fdv0dop000devaad000.onmicrosoft.com%2foauth2%2fauthresp&response_type=code&scope=email+profile&state=StateProperties%3deyJTSUQiOiJ4LW1zLWNwaW0tcmM6OGM1YTQwNDQtNGYyYi00ZTJmLTgyMmUtYjU2ZjRkMWU4ZWU2IiwiVElEIjoiMDBmZjUzOTctNjYxZC00NDY4LWFlODktNzlkOThlMmEwMzI0In0' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
The same error does not happen in FireFox or Safari. For those browsers, I am able to get an auth token back without issue.
azure authentication azure-ad-b2c msal x-frame-options
azure authentication azure-ad-b2c msal x-frame-options
asked Nov 11 at 5:23
mangomagic
185
185
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
up vote
0
down vote
accepted
The X-Frame-Options header is a security measurement against clickjacking, the thing is, not all browsers have an implementation that takes that header into consideration when processing a returned response (see X-Frame-Options on MDN).
Long story short, Chrome will block any response processing that doesn't have a matching allow-from value in the X-Frame-Options header from rendering in a frame, iframe or object element.
Hope it helps!
Thanks. Any idea why Firefox and Safari wouldn't have the same sort of response blocking that Chrome does?
– mangomagic
Nov 12 at 18:53
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
accepted
The X-Frame-Options header is a security measurement against clickjacking, the thing is, not all browsers have an implementation that takes that header into consideration when processing a returned response (see X-Frame-Options on MDN).
Long story short, Chrome will block any response processing that doesn't have a matching allow-from value in the X-Frame-Options header from rendering in a frame, iframe or object element.
Hope it helps!
Thanks. Any idea why Firefox and Safari wouldn't have the same sort of response blocking that Chrome does?
– mangomagic
Nov 12 at 18:53
add a comment |
up vote
0
down vote
accepted
The X-Frame-Options header is a security measurement against clickjacking, the thing is, not all browsers have an implementation that takes that header into consideration when processing a returned response (see X-Frame-Options on MDN).
Long story short, Chrome will block any response processing that doesn't have a matching allow-from value in the X-Frame-Options header from rendering in a frame, iframe or object element.
Hope it helps!
Thanks. Any idea why Firefox and Safari wouldn't have the same sort of response blocking that Chrome does?
– mangomagic
Nov 12 at 18:53
add a comment |
up vote
0
down vote
accepted
up vote
0
down vote
accepted
The X-Frame-Options header is a security measurement against clickjacking, the thing is, not all browsers have an implementation that takes that header into consideration when processing a returned response (see X-Frame-Options on MDN).
Long story short, Chrome will block any response processing that doesn't have a matching allow-from value in the X-Frame-Options header from rendering in a frame, iframe or object element.
Hope it helps!
The X-Frame-Options header is a security measurement against clickjacking, the thing is, not all browsers have an implementation that takes that header into consideration when processing a returned response (see X-Frame-Options on MDN).
Long story short, Chrome will block any response processing that doesn't have a matching allow-from value in the X-Frame-Options header from rendering in a frame, iframe or object element.
Hope it helps!
answered Nov 11 at 6:12
Itay Podhajcer
1,092312
1,092312
Thanks. Any idea why Firefox and Safari wouldn't have the same sort of response blocking that Chrome does?
– mangomagic
Nov 12 at 18:53
add a comment |
Thanks. Any idea why Firefox and Safari wouldn't have the same sort of response blocking that Chrome does?
– mangomagic
Nov 12 at 18:53
Thanks. Any idea why Firefox and Safari wouldn't have the same sort of response blocking that Chrome does?
– mangomagic
Nov 12 at 18:53
Thanks. Any idea why Firefox and Safari wouldn't have the same sort of response blocking that Chrome does?
– mangomagic
Nov 12 at 18:53
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53246074%2frunning-into-x-frame-options-issues-when-running-sample-azure-ad-b2c-auth-code%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown