ADFS 2016 X-Frame-Options拒绝 [英] ADFS 2016 X-Frame-Options to deny

问题描述

我在我的React应用程序上使用adal.js（使用react-adal包装器）。我将我的应用程序配置为与ADFS 2016服务器一起使用（在内部），并且身份验证过程运行良好，但是在ADFS SSO cookie过期后，当客户端（在隐藏的iframe中）发送续签令牌请求时，浏览器会显示控制台出现以下错误：拒绝显示' https：// myadfs / adfs / ls / SAMLRequest = ...，因为它会将 X-frame-options设置为拒绝。

I'm using adal.js on my react app (using react-adal wrapper). I configured my app to work with my ADFS 2016 server (on premise), and the authentication process works fine, but after the ADFS SSO cookie expired, when the client sends the renew token request (in an hidden iframe), the browser shows in the console the following error: refuse to display 'https://myadfs/adfs/ls/SAMLRequest=...' in a new frame because it set 'X-frame-options' to deny.

为了重新进行身份验证，用户需要刷新页面（ F5）。

In order to reauthenticate, the user needs to refresh the page (F5).

此问题是否有解决方案？

Is there any solution / workaround to this problem?

推荐答案

出于安全原因，ADFS< = 2016不允许基于iFrame的登录进行任何交互式身份验证。如果用户不需要执行交互式登录（SSO cookie或WIA），则可以使用该功能。

ADFS <= 2016 does not allow iFrame based logins for any interactive authentication for security reasons. This would have worked if the user did not need to perform an interactive sign-in (either SSO cookie or WIA).

正确的模式（自2016年起）是使用OIDC流登录应用程序，并使用刷新令牌获取新的访问令牌。

The right pattern (since you are on 2016) is to use OIDC flows to log into the application and use the refresh token to get new access tokens.

即使在这里，您也需要处理刷新令牌过期的情况，在这种情况下，您需要在本地存储应用程序上下文（cookie或本地缓存）并启用对ADFS的完全重定向。

Even here you need to handle the refresh token expired case where you will need to store your app context locally (cookie or local cache) and enable a full redirect to ADFS.

ADFS 2019现在具有一个选项，管理员可以通过控制标头配置允许iFrame的主机的选项。

ADFS 2019 now has the option where an admin can configure options for which host(s) they allow iFrames by controlling the headers.

谢谢// Sam（Twitter：@MrADFS）

Thanks //Sam (Twitter: @MrADFS)

这篇关于ADFS 2016 X-Frame-Options拒绝的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！