add RP frame / parent window communication cross-origin note

Issue #1038 resolved
Filip Skokan created an issue

I think it would be useful for client implementers to have the following hint in the Session Management 1.0 specification section 4.1 (RP iframe).

Note that in deployments with multiple subdomains sharing the same RP session it is important that the parent window and RP iframe both set the same document.domain to get around same-origin restrictions. This will allow the RP iframe to target the parent window's embedded OP iframe.


actors: - is the identity provider, offers session management and has an OP frame, uses the redirect_uri Origin to form the session_state - is the main client content page that wishes to have users logged in - is the client that communicates with, the redirect_uri used is from this domain


1) user clicks login on
2) uses to trigger oidc authentication flow
3) user logs in at, idp redirects back to
4) finishes the auth flow and when finished the second level domain gets a global session set by so that knows there is a user logged in
5) user gets redirected back to the content at
6) embeds the OP iframe
7) sets document.domain = '';
8) embeds the RP iframe from that has the session state
9) the RP frame also sets document.domain = '';

The RP iframe targets the embedded OP iframe now without issues and sends messages with the expected Origin and is able to notify the parent window ( about any changes or errors.

Comments (4)

  1. Log in to comment