-
-
Notifications
You must be signed in to change notification settings - Fork 559
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for setting X-FRAME-OPTIONS and CSP #9712
Labels
enhancement
New feature or request
Comments
It's be really a good option if we can control X-Frame-Options. Try to fix my app refresh a few hours, buy only now realize this is Authentik trouble. As a temporary solution for Chrome - this extention works for me UPD: For me increasing time at provider setting make life really better |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
When doing silent refresh with oidc-client-ts authentik returns X-FRAME-OPTIONS: deny, making it impossible to refresh a token.
Since the access_token lifetime is by default very short (5min) this leads to authentik not being usable.
Describe the solution you'd like
Add X-FRAME-OPTIONS and Content Security Policy settings.
Describe alternatives you've considered
Not use authentik.
Additional context
oidc-client-ts does silent renew in an iframe, as does keycloak-js and likely other oidc clients.
Forcing a user to hit the login button every 5 minutes is not acceptable, increasing the token lifetime likewise isn't.
Authentik already does too much magic with CORS and redirect_uri binding.
Add the possibility to set custom X-FRAME-OPTIONS and CSP.
The text was updated successfully, but these errors were encountered: