DEV Community

Cover image for WebAuthn & iframes Integration for Cross-Origin Authentication
Corbado profile image vdelitz
vdelitz for Corbado

Posted on • Originally published at corbado.com

WebAuthn & iframes Integration for Cross-Origin Authentication

#iframe #webdev #webauthn #passkeys

Introduction: Leveraging Passkeys in iframes

Passkeys offer a superior solution for user authentication, enhancing both security and user experience. A critical aspect of modern web development involves using iframes to embed content from various sources. This article explores how to effectively integrate passkeys within iframes, focusing on cross-origin iframes, to create a seamless login experience.

Read Full Blog Post Here

Types of iframes and Their Roles

Understanding the different types of iframes is essential for implementing passkeys effectively. Here are the primary types:

  1. Basic iframe: Embeds content from another URL within the current page.
  2. Responsive iframe: Adjusts its size based on the screen or container, ensuring a good appearance on all devices.
  3. Secure iframe (Sandboxed iframe): Restricts actions within the iframe for enhanced security.
  4. Cross-Origin iframe: Embeds content from a different domain, often used for integrating third-party services like payment gateways.

How iframes Support Passkeys

Integrating passkeys within iframes introduces both capabilities and constraints. The Web Authentication API, crucial for passkeys, historically had limitations with cross-origin iframes due to security concerns. Recent advancements, however, have made it possible to perform both registration and authentication within cross-origin iframes under certain conditions.

Login with Passkeys in Cross-Origin iframes

Login operations via cross-origin iframes are now supported across most major browsers, making it feasible to authenticate users seamlessly without redirects or pop-ups.

Create Passkeys in Cross-Origin iframes

While login operations are broadly supported, creating passkeys in cross-origin iframes is still catching up in browser support. Chrome, Firefox, and Safari have begun to support this feature, with more comprehensive support expected as WebAuthn Level 3 specification is adopted by all major browsers by the end of 2024.

Use Cases for Passkeys in iframes

Two significant use cases highlight the importance of passkeys in cross-origin iframes:

  1. Federated Identity: Organizations with multiple domains can allow users to log in across different sites using a single passkey, simplifying user management and enhancing security.
  2. Payments: Seamless payment processes can be achieved by integrating bank authentication within a merchant's website through cross-origin iframes, enhancing user experience and security. eee ## Benefits of Using Passkeys in iframes

Embedding passkeys within iframes offers several advantages:

  • Enhanced User Experience: Eliminates the need for pop-ups or redirects, providing a smoother, less disruptive user experience.
  • Improved Security: Ensures secure transactions and user verification across different domains.

Step-by-Step Guide to Implementing Passkeys in iframes

To implement passkeys in iframes effectively, follow these steps:

  • Define Allow Attribute: Configure the iframe to allow publickey-credentials-get and publickey-credentials-create. 
<iframe src="https://passkeys.eu" allow="publickey-credentials-get; publickey-credentials-create"></iframe>
Enter fullscreen mode Exit fullscreen mode
  • Set Permission Policy: Include the relevant Permissions-Policy in your HTTP response headers. 
Permissions-Policy: publickey-credentials-get=*, publickey-credentials-create=*
Enter fullscreen mode Exit fullscreen mode
  • Handle User Activation: Ensure that the iframe content requires a user action to trigger authentication. 
document.getElementById('loginPasskeyButton').addEventListener('click', async () => {
    try {
        const publicKeyCredentialRequestOptions = { /* Configuration options */ };
        const credential = await navigator.credentials.get({ publicKey: publicKeyCredentialRequestOptions });
        // Handle the created credential
    } catch (err) {
        console.error('Error authenticating via passkey:', err);
    }
});
Enter fullscreen mode Exit fullscreen mode
  • Example Implementation: Use a sample HTML and JavaScript setup to integrate passkeys within a cross-origin iframe.

Common Challenges and Solutions

  1. Permission Policy Configuration: Ensure correct settings for allow attributes and HTTP headers.
  2. Browser Compatibility: Test across multiple browsers and implement specific fixes as needed.
  3. Cross-Origin iframe Issues with Safari: Be aware of Safari's limitations with cross-origin iframes and avoid third-party cookies.

Conclusion

Integrating passkeys within iframes enhances security and user experience, offering a seamless authentication process. By understanding the types of iframes and following a structured implementation guide, developers can leverage this technology effectively.
Find out more on Passkeys & iframes: How to Create & Login with a Passkey.

Top comments (0)

Read next

sandeepseeram profile image

What is a Slowloris attack?

Sandeep Kumar Seeram -

queryhub profile image

Unlocking the Power of NoSQL in the Cloud: Breaking Free from Relational Constraints

Query Hub -

vincod profile image

Introduction to Object-Oriented Programming (OOP) in Python

Odipo Otieno -

jankapunkt profile image

MeteorJS 3.0 major impact estimated for July 2024 ☄️ - here is all you need to know 🧐

Jan Küster -