"Unable to retrieve OAuth redirect params cookie" in iframe

[michaeltamaki-okta]

Also see this issue in okta-react: okta/okta-oidc-js#675

Steps to reproduce

• In the classic admin dashboard, enable iframe embedding in Settings -> Customization -> IFrame Embedding
• Run yarn start and set the client id/issuer. Also, make sure PKCE is true.
• Create an html file with the app in an iframe (you may need to include the config params in the src url):

<!DOCTYPE html>
<html>
  <head>
    <title>Dashboard iframe</title>
  </head>
  <body>
    <iframe
      src="http://localhost:8080"
      width=600
      height=600
    />
  </body>
</html>

• Open the page in private browsing mode. Attempt to login using redirect.
• The error shows. The cookie for the redirect params is not set.

GIF

The flow works on v2.11.0 (git checkout okta-auth-js-2.11.0):

The flow does not work on master:

[swiftone]

Internal ref: OKTA-279242

[swiftone]

@michaeltamaki-okta - Can you see if the latest version (okta-auth-js 2.13.1) fixes this for you?

[michaeltamaki-okta]

@swiftone Tested on 2.12.0 and 2.13.1 and 2.13.1 works! Thank you for the fix!

[masaniamit]

Hi @michaeltamaki-okta
I was facing the same issue, okta was throwing an error when used in i-frame.
The latest fix works for me on chrome & firefox, but the issue still reproducible for the safari browser.

[sudarsan900]

Hi @michaelsisario-okta
Thanks for the fix, but Issue still exists in Safari. Attached a screenshot, I think it will help to understand the issue.

Safari Version- Version 13.0.1 (14608.2.11.1.11)
Angular - 8
"@okta/okta-angular": "^1.4.0"

[swiftone]

@sudarsan900 - Thanks for the report. A few questions to help diagnose:

• Are you running on http or https?
• What version of auth-js is installed in your node_modules?

[sudarsan900]

@sudarsan900 - Thanks for the report. A few questions to help diagnose:

* Are you running on http or https?

* What version of auth-js is installed in your node_modules?

@swiftone I am running on https
@okta/okta-auth-js: "^3.0.0",
@okta/okta-angular: "^1.4.0"

Let me know if any other information required.
Thanks for your quick reply :)

[swiftone]

@sudarsan900 - with HTTPS we're not aware of any iframe issues on Safari. The most likely problem is a nested older version of auth-js.

Try removing your node_modules/ and any lock file (yarn.lock or package-lock.json) and reinstalling. Let us know if that resolves the problem or not.

[bdeacon-rh]

If I'm understanding the issue correctly, I think we're stuck in a messy spot. We have our own page which uses okta-auth 2.13.2. It runs as an iframe inside salesforce, which we also have integrated with okta. I think Salesforce just picked up the latest version and are now writing that cookie with the new cookie options and that breaks the old version's attempt to read the same cookie. I'm not entirely certain if I'm understanding how that cookie saving and retrieval works, though. Would it make sense that an iframe using an older version of okta-auth might not be able to read a cookie written by the latest version? Is there any workaround short of upgrading to the latest version? I'm mostly thinking about the tradeoff between "fix it quickly" and "make sure we don't destabilize some other part of our code"

[sudarsan900]

@bdeacon-rh exact same scenario for me. We are loading our page under salesforce portal using Iframe. @bdeacon-rh if you are correct and version mismatch is the issue in Safari browser, than I am sure that Salesforce portal still using older version where else our application is using latest version of okta-auth. Upgrading okta-auth in Salesforce portal is quite difficult and it is a lengthy process, Salesforce portal is entirely managed by another division and requires a lot of approval. I will try to communicate with Salesforce team if they can upgrade okta-auth to latest but also I am looking any short of workaround which can fix this issue immediately. Also let us know if you have any suggestion or workaround. CC @swiftone @michaeltamaki-okta

[bdeacon-rh]

@sudarsan900 I think the issue is actually that salesforce updated to latest and it breaks any iframe not using the latest. The timing for us was that the issue started for our users literally within minutes of the release of okta-auth-js, so my theory is that Salesforce releases very rapidly and an aggressive versioning in their npm package immediately upgraded to that latest version.

[aarongranick-okta]

@sudarsan900 @bdeacon-rh The OAuth redirect params cookie is set before a redirect to Okta and read on the login callback. It should not be shared between apps or accessed in any way outside of the login redirect flow. We assume that the login callback is being handled by the same app (and therefore the same version of okta-auth-js, with the same configuration) that initiated the login redirect. The entire flow should be able to complete within an iframe as long as your app is running on HTTPS.

I assume your application is running on different domain from the Salesforce portal. If so, it should not be accessing these cookies which would be set on your application's domain.

@masaniamit If the issue is only on Safari, please make sure that 3rd party cookies are allowed: https://support.apple.com/guide/safari/manage-cookies-and-website-data-sfri11471/mac

[mrchess]

I ran into an issue like this lately.

While I don't have a solution to your problem, I wanted to add for anyone who gets here by searching, that this issue appeared for me in my latest Chrome Version 80.0.3987.132 (Official Build) (64-bit), and I was on okta-auth-js@2.13.1.

But upgrading my library to 2.13.2 resolved the issue for some reason. Thanks.

[nharrisanalyst]

Okta needs a whole page to trouble shoot "AuthSdkError: Unable to retrieve OAuth redirect params cookie"

it is such a common err with so many issues here and if you google the error tons of questions on stack exchange but absolutely no help on the Okta website??

[nharrisanalyst]

https://devforum.okta.com/t/openid-okta-initiated-login-authsdkerror-unable-to-parse-a-token-from-the-url/1745/4

[swiftone]

@mrchess - Correct, 2.13.1 contained a change that attempted to handle Chrome 80 changes but introduced problems :(. These were fixed in 2.13.2. You can see the GitHub releases ( https://github.com/okta/okta-auth-js/releases ) for more info, or check the CHANGELOG.md file.

[swiftone]

@nharrisanalyst - Are you have this issue? Can you provide any details? (If it isn't in an iframe, please do so on a new GH issue)

[swiftone]

Closing this issue as presumably fixed (though iframe support requires HTTPS as a matter of browser policy, nothing we can do there).

If any encounters similar problems with iframes, please open a new issue with details and possibly reference this one in it.