Add support for setting X-FRAME-OPTIONS and CSP #9712
Comments
|
I've now tested oidc-client-ts with Keycloak, which doesn't set X-FRAME-OPTIONS to DENY and has Content-Security-Policy: frame-src 'self'; frame-ancestors 'self'; object-src 'none'; I wonder how no one else ever had an issue or has reported any issue with authentik when used in a SPA or PWA. I also wonder why I can't add this application I created with its provider to the default outpost. All I know is, oidc-client-ts with authentik can't refresh/renew tokens and I'm getting a timeout and an error in chromium that the request was denied because X-FRAME-OPTIONS is set to DENY, and there is no way I can see that I can add them on a per provider or application basis in authentik. So for me authentik is unable to perform its purpose. |
|
It's be really a good option if we can control X-Frame-Options. Try to fix my app refresh a few hours, buy only now realize this is Authentik trouble. As a temporary solution for Chrome - this extention works for me UPD: For me increasing time at provider setting make life really better |
Is your feature request related to a problem? Please describe.
When doing silent refresh with oidc-client-ts authentik returns X-FRAME-OPTIONS: deny, making it impossible to refresh a token.
Since the access_token lifetime is by default very short (5min) this leads to authentik not being usable.
Describe the solution you'd like
Add X-FRAME-OPTIONS and Content Security Policy settings.
Describe alternatives you've considered
Not use authentik.
Additional context
oidc-client-ts does silent renew in an iframe, as does keycloak-js and likely other oidc clients.
Forcing a user to hit the login button every 5 minutes is not acceptable, increasing the token lifetime likewise isn't.
Authentik already does too much magic with CORS and redirect_uri binding.
Add the possibility to set custom X-FRAME-OPTIONS and CSP.
The text was updated successfully, but these errors were encountered: