I have an app that runs on example.com and you can log into it via SSO. You can also embed example.com into any website you want. When a user needs to log into example.com via SSO we open a new window and then, normally, that window uses window.opener.postMessage()
to let the iframe know when it's done and send back a login token. This has the following issues:
Sometimes with Google OAuth, the popup window has the
window.opener
set tonull
. Not sure why but when this happens we obviously can no longer post a message back.So then people say to use
BroadcastChannel
to communicate back to the API, however, Chrome now has partitioned BroadcastChannel so - if you are an the iframe in this case your sandbox is for randompage.com > example.com and so you cannot communicate from the popup back to the iframe through BroadcastChannel.
So how is this supposed to be done now?
Using the window.opener
method, posting back works in most cases, but Google OAuth can set opener to null. BroadcastChannel with iframes seems to be partitioned and this wont' be a reliable source forward.