Using my own identity server causes X-Frame-Options 'sameorigin' errors about sample-angular-oauth2-oidc-with-auth-guards HOT 4 CLOSED

I'm supposing you run the example on origin localhost:4200?

For the silent refresh, a hidden iframe is loaded with that URL you've shown. Its origin is cds-identity.rdeadmin.waters.com:50333. It seems (from the error you post) that it sets:

X-Frame-Options: sameorigin

By this the Identity Server indicates that the identity/connect/authorize?... location can only be loaded in an iframe by a website loaded from the same origin. See also these docs.

So your hunch is correct, you need to reconfigure your Identity Server to allow at least that specific route to be loaded from other domains (so with no X-Frame-Options set).

Typically, it would make sense if an Identity Server does set that option for connect/authorize normally, but not when ?...&prompt=none is included. You haven't mentioned what you use for your IDS, but I'd check there first.

from sample-angular-oauth2-oidc-with-auth-guards.

Please let me know if that clears things up, and whether we can close the issue for now? (Or you could close it yourself if you like.)

from sample-angular-oauth2-oidc-with-auth-guards.

Thanks for responding. Actually it confuses me a bit more. I guess let me explain how I got here. I downloaded and am using the angular-oauth2-oidc package to start using an identity server (it was written by someone in my company I believe) and was able to successfully login using the IDS. However, when changing code on the fly in Visual Studio Code and/or hitting refresh on my SPA my app gets hung and the UI is not responsive and doesn't redraw. I thought it might be a silent refresh problem so I tried to put those options in to no avail. Then I found your test app and am trying that and that is when I ran into the error above. So to make things easier to debug, I created a test app which did similar things that my normal app does and that is where I am seeing the problem. I can run the test app 2 ways, the way I configured it in my SPA and your way (only changing the way oauth2 is initialized and the auth guards. Is there any way I can zip that up send it to you so you can try it and help me debug the problem? Thanks!

from sample-angular-oauth2-oidc-with-auth-guards.

Hmmm, now I am slightly confused. In your last comment you wrote:

when changing code on the fly in Visual Studio Code and/or hitting refresh on my SPA my app gets hung and the UI is not responsive and doesn't redraw

But in your original post you only mention "sameorigin" problems, which is something else entirely?

Regarding sending a zip for debugging assistance, I'm afraid you'll have to turn towards colleagues, friends, consultants, or debugging some more yourself. Alternatively, you could try to make a minimal repro of the entire thing, and post a question on Stack Overflow.

I myself unfortunately have limited time, and want to keep this repo really to itself. So unless there's a bug/issue left over with this repo, I'm going to close the issue.

Good luck with getting your setup to work!

from sample-angular-oauth2-oidc-with-auth-guards.