Can I embed the authorisation flow in an iFrame?

It is not possible to embed either the Codat link site or individual platform authorisation pages within an iFrame.

Reason One - Security Best Practice

The majority of integrations Codat supports use OAuth as the authorisation mechanism which recommends against allowing iFrames.

The OAuth 2 spec section 10.13 states that "native applications should use external browsers instead of embedding browsers within the application when requesting end-user authorization".

As the specification explains, the reason is to prevent a clickjacking attack...

"In a clickjacking attack, an attacker registers a legitimate client and then constructs a malicious site in which it loads the authorization server's authorization endpoint web page in a transparent iframe overlaid on top of a set of dummy buttons which are carefully constructed to be placed directly under important buttons on the authorization page."

Reason Two - It isn't widely supported

Some of the third-party platforms Codat integrates with will not allow their authorisation page to be rendered in an iFrame for security reasons (above). In order to ensure a consistent developer and user experience Codat have extended this restriction across all the integrations we support.

By restricting the use of iFrames Codat also shields production apps from breaking when third-parties enforce the iFrame restriction. This was the case when Intuit started preventing the use of iFrames in 2016.

What should I do instead?

The Codat system supports the registration of a post-authorisation redirect URL, this allows you to redirect the user to the third party for authorisation and bring them back to your site within state information once complete.

Alternatively, open a new browser window rather than using an iFrame.


Did this page help you?