Title
#tech-support
a

Anderson Feitosa

11/04/2022, 8:11 PM
Hello guys. I'm from Dadosfera and I'm facing a problem when trying to embed Orchest on our platform. The embed works normally, but when logging in the user is always redirected to the same page. The projects page does not open. Expected behavior When logging in with orchest, even in embed, I would like the user to be redirected to the projects page. To Reproduce Steps to reproduce the behavior:1. Create HTML simple page and run in localhost 2. Use <iframe> to embed deployed version of orchest, with auth server 3. Login with valid credentials 4. See same page. User is not redirected. Any thoughts on this issue?
Rick Lamers

Rick Lamers

11/07/2022, 1:53 PM
We don't support running Orchest inside of an <iframe> yet. We might do so in the future. Maybe you could collect the problems with running it inside the <iframe> (based on e.g. errors) on the GitHub issue page? Question, are you embedding the <iframe> from a host domain name that is different to the domain name of where you're hosting the Orchest instance? That could cause a number of browser security policies to prevent it from working correctly.
a

Anderson Feitosa

11/07/2022, 2:01 PM
Thanks for your response. About your question: the domain name is same. Running locally (without auth), the only other problem I encountered was when running JupyterLab... If we can get the login to work, we can do workarounds for the JupyterLab issue. Is there no way to authenticate using an <iframe>?
Rick Lamers

Rick Lamers

11/07/2022, 2:04 PM
I don't see what this shouldn't be possible in principle. In practice, because we run JupyterLab in Orchest using an <iframe> the nesting there might cause another class of issues. It's a matter of investigating where it breaks now and making the required changes without affecting the current security posture (XSS).
a

Anderson Feitosa

11/07/2022, 2:07 PM
About JupyterLab, no problem. We are aware. And about the login, do you see any way to solve it?
Rick Lamers

Rick Lamers

11/07/2022, 5:57 PM
I can take a look at login embedding error later this week 👍
10:37 AM
Hi Anderson, coming back to this. I've been able to use <iframe> embedding to log in. But only if the domains are the same. Note that from a cross-origin perspective abc.example.org is not the same as example.org. The relevant code enforcing this constraint is here: https://github.com/orchest/orchest/blob/master/services/auth-server/app/app/views.py#L117 You could 'fork' and remove that constraint but please be aware of the CSRF implications (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite)