Hello everyone, I have following problem. I need to share an authentication status with an iframe hosted on a third-party website (so cross-domain). The iframe is embedding my site, which is protected by a login. I am currently managing authentication via express-session, so when a user logs in a value (f.e. req.sessions.loggedIn) is set to true. However, this is not shared with the iframe ofc, so the user would have to login every time he uses the iframe. What would be the best way to manage this? How can I share an "auth-status" with the other domain in a secure way?
For further actions, you may consider blocking this person and/or reporting abuse
Top comments (2)
You can use JWT for sharing authentication. When a user logs into your site, you can create a JWT that includes the user's identity and any other data you'd like to include.
Then, when loading the iframe, you can include the JWT as part of the iframe's URL. The third-party site can then read the JWT from the URL, validate it, and use the data it contains to authenticate the user.
Thank you for your reply. But this approach would only work, if I control the third-party domain right? How would the validation work?