Angular-auth-oidc-client: Error when trying to use silent-renew while already in an iFrame

Created on 3 Jul 2019  路  6Comments  路  Source: damienbod/angular-auth-oidc-client

Hi There,

I have an app that is loaded in an iFrame in another app. In this app I am trying to use the silent-renew method but it doesn't seem to be reloading the token once it expires.. I do see this error (posted below) when loading the iframe. Not sure if this is a duplicate of #203 but I was wondering if you could provide any advice on what to do with this.

Thanks.

VM750 vendor.js:55708 ERROR DOMException: Blocked a frame with origin "http://localhost:8085" from accessing a cross-origin frame. at IFrameService.push../node_modules/angular-auth-oidc-client/fesm5/angular-auth-oidc-client.js.IFrameService.getIFrameFromParentWindow (http://localhost:8085/vendor.js:172748:30) at IFrameService.push../node_modules/angular-auth-oidc-client/fesm5/angular-auth-oidc-client.js.IFrameService.getExistingIFrame (http://localhost:8085/vendor.js:172714:35) at OidcSecuritySilentRenew.push../node_modules/angular-auth-oidc-client/fesm5/angular-auth-oidc-client.js.OidcSecuritySilentRenew.initRenew (http://localhost:8085/vendor.js:174653:49) at OidcSecurityService.push../node_modules/angular-auth-oidc-client/fesm5/angular-auth-oidc-client.js.OidcSecurityService.setupModule (http://localhost:8085/vendor.js:175031:42) at SafeSubscriber._next (http://localhost:8085/vendor.js:176961:39) at SafeSubscriber.push../node_modules/rxjs/_esm5/internal/Subscriber.js.SafeSubscriber.__tryOrUnsub (http://localhost:8085/vendor.js:213808:16) at SafeSubscriber.push../node_modules/rxjs/_esm5/internal/Subscriber.js.SafeSubscriber.next (http://localhost:8085/vendor.js:213746:22) at Subscriber.push../node_modules/rxjs/_esm5/internal/Subscriber.js.Subscriber._next (http://localhost:8085/vendor.js:213689:26) at Subscriber.push../node_modules/rxjs/_esm5/internal/Subscriber.js.Subscriber.next (http://localhost:8085/vendor.js:213666:18) at ReplaySubject.push../node_modules/rxjs/_esm5/internal/ReplaySubject.js.ReplaySubject._subscribe (http://localhost:8085/vendor.js:213278:28)

picture JoellyR

Most helpful comment

I sent in the PR for this I think it was #467 .... looks like someone merged it ?

picture JoellyR on 4 Jul 2019
🎉1 👍1

All 6 comments

This is a CORS issue

Blocked a frame with origin "http://localhost:8085

also don't use http but https

Greetings Damien

damienbod picture damienbod on 3 Jul 2019

@damienbod Hey, I realize it's saying it's a cors issue... though... My app is as such, a launcher (localhost:4200) which launches another app in an iframe (localhost:8085). I am not trying to access the launcher (localhost:4200) from the iframe (localhost:8085)... So my guess is, this cors issue is from the silent-renew iframe (opened inside of localhost:8085)... Though I am not sure why its causing a CORS issue..... is the silent-renew iframe (opened inside of localhost:8085 trying to grab the top level parent and instead grabbing the launcher (localhost:4200) or something along those lines? Because when i run the iframe app (localhost:8085) standalone (not in an iframe) then it seems to work fine.

JoellyR picture JoellyR on 3 Jul 2019

@damienbod The issue sees to be caused by the following function IFrameService -> getIFrameFromParentWindow... it seems like you check to see if the parent has a silent-renew iframe and if so you would just use that... though the issue is the call to anything window.parent..... will cause a cross origin error if the parent is not of the same origin... I am trying to find a way to determine if the parent is the same origin before trying to get the iFrame from it... though even trying to get window.parent.location will trigger the same cross origin error 馃槶

JoellyR picture JoellyR on 3 Jul 2019
👍1

The fix that I have at the moment would be to wrap the window.parent call in a try catch and in the catch I just return a null... as per this stackoverlow post...

Though they were talking about webkit not being able to catch this error, but it is an older post from 2015. I am hoping that it is included now.

Tested in the latest versions of Safari and Chrome and it seems to work.

I cloned your repo and have it in a branch, if you want I can push it up and create a PR...

JoellyR picture JoellyR on 4 Jul 2019
👍1

@JoellyR this would be great, but I won't have time to test or merge this till fter the sommer

damienbod picture damienbod on 4 Jul 2019

I sent in the PR for this I think it was #467 .... looks like someone merged it ?

JoellyR picture JoellyR on 4 Jul 2019
🎉1 👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

brentos99 picture brentos99  路  4Comments
haidelber picture haidelber  路  3Comments
JohnGalt1717 picture JohnGalt1717  路  3Comments
profet23 picture profet23  路  3Comments
daudihusbands picture daudihusbands  路  3Comments