Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Brite
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor
  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum
Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Feature Requests
  3. External site (embeded) OIDC login

External site (embeded) OIDC login

Scheduled Pinned Locked Moved Feature Requests
oidc
4 Posts 3 Posters 95 Views 3 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M Offline
    M Offline
    mononym
    wrote last edited by joseph
    #1

    Hello.

    For ease of use I wanted to embed some cloudron apps (Miniflux, Linkwarden, Etherpad) into the nextcloud interface. First, I embed them with the NC external-sites app. Then, I set the frame-ancestors nextcloud.domain.com; in the security settings for each app.

    That all works fine until a user wants to log in to these apps. The apps display correctly, but when hitting the OIDC login button, it is impossible to log in to them.

    Firefox Can’t Open This Page

To protect your security, my.domain.com will not allow Firefox to display the page if another site has embedded it. To see this page, you need to open it in a new window.

    Beeing able to resolve this would also make it possible to embed the Cloudron dashboard as external site to Nextcloud, easily giving access to a repository of all apps as well.

    Thanks.

    1 Reply Last reply
    1
    • J Offline
      J Offline
      joseph
      Staff
      wrote last edited by
      #2

      I guess this is more a feature request, will move it. The OIDC page does not allow itself to be embedded in other pages for security purposes. Is there any other OIDC provider / login provider which allows their page to be embedded in other websites?

      1 Reply Last reply
      0
      • J joseph moved this topic from Nextcloud
      • M Offline
        M Offline
        mononym
        wrote last edited by
        #3

        I honestly don't know, what is the underlying OIDC system of Cloudron ? It is not properly speaking 'embedding', only accepting the login requests from apps which are embedded in another site, all hosted on Cloudron, if that makes sense ?

        1 Reply Last reply
        0
        • nebulonN Offline
          nebulonN Offline
          nebulon
          Staff
          wrote last edited by
          #4

          So currently the login flow pages are served up with content security policy headers to not allow being embedded in another domain/origin. The reason for this is to prevent clickjacking attacks and was explicitly done that way.

          I guess for this we would need a csp setting for the OpenID provider where one can allow specific domains/origins.

          1 Reply Last reply
          2
          Reply
          • Reply as topic
          Log in to reply
          • Oldest to Newest
          • Newest to Oldest
          • Most Votes

          • Login
          • Don't have an account? Register
          • Login or register to search.
          • First post
            Last post
          0
          • Categories
          • Recent
          • Tags
          • Popular
          • Bookmarks
          • Search