Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-13610

X-Frame-Options: SAMEORIGIN prevents use of check_session_iframe

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 6.5.0
    • Fix Version/s: 6.5.0, 6.0.1, 5.5.2
    • Component/s: OpenID Connect
    • Labels:
      None
    • Support Ticket IDs:
    • Needs QA verification:
      Yes

      Description

      Bug description

      A relying party wants to build support for OIDC Session Management as per this spec :https://openid.net/specs/openid-connect-session-1_0.html#rfc.section.4.2

      To do so, they are instructed by the spec to operate as follows:
      >The RP also loads an invisible OP iframe into itself from the OP's check_session_iframe.

      The check_session_iframe is a URL returned from the OIDC discovery document. In AM's case, it is something like this:

      check_session_iframe : "http://am:80/openam/oauth2/connect/checkSession"

      However it is currently impossible to load this URL in an invisible OP iframe, because AM responds with the header "X-Frame-Options:SAMEORIGIN". Given that this particular feature is designed exclusively to operate in the context of a frame, this header is inappropriate and should be removed.

      How to reproduce the issue

      Enable the OAuth2 Provider service and call /openam/oauth2/connect/checkSession. Note the presence of the X-Frame-Options:SAMEORIGIN response header.

      Expected behaviour

      No X-Frame-Options:SAMEORIGIN header.

        Attachments

          Activity

            People

            • Assignee:
              joe.starling Joe Starling
              Reporter:
              jake.feasel Jake Feasel
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: