Stream: smart
Topic: Embedding Authorization Page in an IFrame
Josh Lamb (Jun 09 2021 at 20:24):
I believe that most authorization servers will block the login page from being embedded into an iFrame, for security reasons. I see a guide on smarthealthit on how to embed the authorization page into a "custom popup", rather than using a new tab: http://docs.smarthealthit.org/client-js/targets.html.
Do we have any best practices or guidance on embedding authorization pages within a single page application? The user experience of a new tab opening can cause issues, but I realize that a new tab/window allows the user to ensure they are entering credentials into the correct location and helps protect against clickjacking. Is there a way to achieve a similar effect, in a secure way? The OAuth guidance I found states that a new tab/window is best practice.
Josh Mandel (Jun 09 2021 at 20:27):
From a security perspective, EHRs should for sure prevent their login screens from being embedded in an iframe. otherwise, how can the user tell if it's legit? No URL bar, no lock icon, etc.
Josh Lamb (Jun 09 2021 at 20:27):
Thanks, I agree, but wanted to make sure I was not missing another approach that was not more secure. I am not much of a UI developer!
Last updated: Apr 12 2022 at 19:14 UTC
