拒绝显示"login.microsoftonline.com"在< iframe>中在asp.net MVC应用程序中 [英] Refused to display "login.microsoftonline.com" in <iframe> in asp.net MVC app

问题描述

我正在研究一个有两个不同解决方案的项目. " https://example.com"并在其中显示了不同项目的页面，例如"https://example123.com".

I am working on a project where it has two different solutions. "https://example.com" and inside that We have used to display pages of different project say "https://example123.com".

我已经在"https://example123.com"上实现了Azure AD身份验证.项目.因此，一旦到达该URL，AzureAD页就会显示出来以进行身份​​验证.

I have implemented Azure AD authentication on "https://example123.com" project. So once it hits that url, AzureAD page shows up for authentication.

现在，我需要在example.com内部进行相同的身份验证，该工作使用iframe连接到project example123.com项目，但出现问题- login.microsoftonline.com拒绝连接.

Now I required to work the same authentication thing inside example.com which is using iframe to connect to project example123.com but getting issue - login.microsoftonline.com refused to connect.

在控制台上我也收到错误消息-拒绝在框架中显示"https://login.microsoftonline.com/......"，因为它将"X-Frame-Options"设置为"deny"

Also on console i am getting error as - Refused to display 'https://login.microsoftonline.com/......' in a frame because it set 'X-Frame-Options' to 'deny'.

请对此提供帮助.预先感谢.

Please help on this. Thanks in advance.

推荐答案

默认情况下，几乎每个Authorization Server登录屏幕都会拒绝在iframe上呈现，以防止点击劫持.因此，无法在iframe上进行重定向.在Azure中可能有一种允许的方式，但我对此表示怀疑.

Pretty much every Authorization Server login screen will refuse to render on an iframe by default, as a protection against clickjacking. So redirecting on an iframe will not work. There may be a way to allow this in Azure but I kind of doubt it.

不确定是否有适合您的解决方案，这并不是您所要求的.通常，您需要尽早设计安全性.几种可能性:

Not sure if there is a solution in sight for you, and it is not a simple thing you are asking for. As a general rule you need to design for security early. A couple of possibilities:

PART 1

使您的托管域兼容，以使Cookie或令牌(无论您使用的是什么)可以在应用之间共享:

Make your hosting domains compatible along these lines, so that cookies or tokens (what ever you are using) can potentially be shared between the apps:

• https://web.mycompany.com/app1
• https://web.mycompany.com/app2

• https://web.mycompany.com/app1
• https://web.mycompany.com/app2

PART 2

在内部(iframe)应用程序中定义一个用于处理登录的界面.当内部应用程序检测到它正在iframe中运行时，它需要使用一种实现，该实现要求主(主机)应用程序代表其执行登录重定向之类的操作.

Define an interface within the inner (iframe) app for dealing with logins. When the inner app detects that it is running in an iframe it needs to use an implementation that asks the main (host) app to perform things like login redirects on its behalf.

然后，您可能需要在这两个应用程序之间发布cookie(具有整个站点范围)，或者使用postMessage API将令牌发送回iframe应用程序(这样做存在潜在的安全风险).

You may then need to issue a cookie across the 2 apps (with a site wide scope) or use the postMessage API to send tokens back to the iframe app (and there are potential security risks with this).

这篇关于拒绝显示"login.microsoftonline.com"在< iframe>中在asp.net MVC应用程序中的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！