Hey, we're using Ory Network with a custom domain https://auth.example.dev and want to authenticate pages on a next.js app served on https://app.example.dev. We have an oAuth2 client set up with Ory and are using

react-oidc-context

to attempt silent sign ins. However, we are encountering the following CSP issues:

[Report Only] Refused to frame '<https://auth.example.dev/>' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".

Refused to display '<https://auth.example.dev/>' in a frame because it set 'X-Frame-Options' to 'deny'.

Is there any configuration we're missing to allow the above? Thanks!

Hi @gray-shoe-60285 It looks like you are using an iframe. I don't think this is an optimal solution and as the error suggests, we block iframes. Why is it necessary to do a silent request instead of just redirects?

Thanks for your response! The iframe may be a misuse of the way we are using

react-oidc-context

as it seems to be trying to create a hidden iframe - if its not optimal as you say we won't pursue this route. We were thinking the silent request would be necessary to refresh the access token from our OAuth client. Our current intention is to use a login flow from Ory Elements to obtain an Ory session cookie, then use this to get an access and refresh JWT from our OAuth and maintain the session by having the token refreshed. Once we have the tokens form our OAuth client, we would end the session with Ory using a logout flow, but the user would still have access via the access JWT. Is this a recommended approach?

I'm not sure what the requirements for your system are, but if you need SSO between multiple clients, then you would create an OAuth flow directly from each app (client) to Ory OAuth, which takes the user through the Account Experience / Custom UI (Ory Identities) for authentication. After this the browser is taken back to the client where the client then exchanges the access code for an access token. In this case you have direct access to the access token and refresh token, which can be refreshed whenever. Logging out means you need to initiate the logout through the OAuth provider (Ory OAuth). See refreshing an access token https://www.ory.sh/docs/oauth2-oidc/refresh-token-grant See OAuth logout https://www.ory.sh/docs/oauth2-oidc/oidc-logout

Thanks for your reply thats the approach we want 🙌