I've got some sort of cors/csrf issue going on which I don't seem able to fathom out. Hoping someone might be able to help. Self hosted hyra and kratos with our own server side browser-based login/logout/error UI. One of the things we use oidc to help with is embedding our own separate webapps (which use the same ory setup, credentials etc.) into our pages using iframes. In our production environment, everything's in the same domain and this works smoothly. However, our development environment has a different domain from the apps and SSO UI endpoint, and that seems to be causing more problems than expected. I've done quite a few structured tests on different servers with repeated clearing of cookies and this defintiely seems to correlate to running in an iframe on a different domain from the page it's embedded in. To be clear: - page=xyz.com, iframe=xyz.com, sso-ui=xyz.com, ory login within iframe works fine - page=abc.com, iframe=xyz.com, sso-ui=xyz.com, ory login within iframe fails I've pored over the HTTP requests and log files for hours, and I must be missing something. The flow looks like this: - app in iframe redirects browser to hydra/auth which redirects to our login ui (login.php?login-challenge...) with a hydra csrf cookie when everything's on the same domain, but without when the page is a different domain - login.php redirects to kratos/self-service/login/browser where in both cases a csrf token cookie is set and we're redirected back to login.php with a flow id - turning up at login.php?flow... the same domain successful setup still has that csrf_token cookie, but the different domain failure one has lost it - login.php makes a server-side API call to kratos/flows to obtain the csrf token, which with everything in the same domain succeeds, but with the parent page being a different domain fails because (by the look of it) of the lack of an appropriate csrf cookie The action is all taking place within the iframe. It's clear that cookies are being set differently depending on whether the parent page share's the iframe's domain, but I'm unsure whether this is ory or the browser, or what to do about it. I imagine the browser, because I can't see how ory would 'know' about the parent page's domain. We're not trying to do anything cross-site (i.e. between the iframe and parent page), so I thought the iframe should behave like a discrete browser window in its own right. Obviously not, though. Does anyone know whether there's an extra header or something I need to set, beyond the normal we've already got to make the cross-domain iframes show in the first place, either within ory or on our webserver?

Maybe the problem is with cookies... Cookies and iframe are difficult one to make work... You can atleast make it work in the subdomains but I don't know can you make it work from one domain to another...

Yes, as usual I posted this after hours of struggle, stepped away from the task and came back to it, to find the answer staring me in the face. https://www.ory.sh/docs/security-model Setting SameSite=none on the cookies would probably solve it, but also be a really bad idea. So, it looks like we need to either live with it or set up a separate ory installation for our dev environment.

Authentication must not be embedded @rhythmic-noon-42841 Login, registration, MFA and other identity flows must not run inside an iframe! Embedding these flows increases risk of phising, session hijacking, and click jacking. This is why it does not work by design with Ory. Also many browsers disallow it as well (I think safari, Firefox atm?) See also https://www.ory.sh/docs/troubleshooting/iframes