angulariframeidentityserver4clickjackingimplicit-flow

ClickJacking threat while using hidden iFrames for refreshing tokens in OAUTH Implicit flow


We are developing an Angular 5 based application which uses Secure Auth (https://www.secureauth.com/) as the Identity and Access Control solution. We were planning to use the Implicit Flow. In most of the OAuth Clients we found that hidden iFrames are used to silently refresh the access token .

However by default , Secure Auth IDP would not open in iFrames, the reason given was that it is used to prevent Click Jacking... This prevents us from doing silent refresh. We did not found such issues in Identity Server , Also most of the others like Azure AD , AWS Cognito, Google also recommend the usage of implicit flow.

Just wondering if this is such a threat. Any comments is appreciated.


Solution

  • ClickJacking is only a concern if an "invisible" UI is shown. A silent refresh does not involve a UI (that would be an error).

    That's why in IdentityServer we allow iframing the authorize endpoint - but not the login or consent page e.g.