Memberstack <> Circle SSO integration bug?

Chris_B · June 9, 2020, 5:39am

I’m looking to have an experience where new users on my platform can sign up via our sign up form (Memberstack) and then be able to interact with the community within an iframe on the platform (without having to kick them out to the subdomain to complete registration).

Currently, after users sign up they are presented with an iFrame with an embedded space in the onboarding flow: https://tinyurl.com/ycr8e7vt. I was hoping that the user could auth on this screen via the iFrame and then see the space. However after pressing “Continue with Silver Lining”, users see the following.

On Chrome:

Screen Shot 2020-06-08 at 4.21.14 PM1990×1432 68.6 KB

On Safari (it is stuck on this screen):

Screen Shot 2020-06-08 at 5.28.23 PM1108×916 30.5 KB

Interestingly:

Users can sign in with Circle within the iFrame (but it embeds the entire community area not just the space I want)
If I change the space settings to be public and the user tries to comment or like, they are pushed to the subdomain (tech.getsilverlining.com) in a new tab to Sign in/up and that works fine. The user can then return to our platform and the embed works as expected.

So it seems like the iFrame is playing with the SSO somehow. Is this a bug with the SSO integration on Memberstack side or Circle’s?

Josh-Lopez · June 9, 2020, 2:13pm

Hey Chris

Thank you for the feedback. I am going to pass this along to the dev team to see what’s going on.

Chris_B · June 9, 2020, 5:09pm

Thx @Josh-Lopez. I asked Circle the same question & this is what they said fyi:

Here’s my best guess as to why this is happening: MemberStack on their end doesn’t (yet) support the ability for the log in page to be embedded inside an iFrame. I’m CC’ing Tyler from Memberstack in case there’s something they can do about it.

This is because their “X-Frame-Options” is set to “sameorigin”, i.e. only memberstack.com URLs can embed a Memberstack iFrame. This error shows up in the console as well, and can be replicated on a JSFiddle etc:

* snippet - memberstack - circle *

Deciding whether or not to make this possible is 100% Memberstack’s decision, but just FYI, what we do on our end is remove the “X-Frame-Options” header completely to make this possible.

Josh-Lopez · June 9, 2020, 5:22pm

Hello again,

I talked to our dev team and for security reasons they are not allowing this. Your reply above is correct. We are currently weighing our options and coming up with solutions for this. I will let you know how this goes but do not have an ETA yet.

joey · June 23, 2020, 6:10pm

Just adding that I’ve got exactly the same problem and will eagerly await an update!

Thanks a lot!

Josh-Lopez · June 23, 2020, 6:58pm

Hey Joey

Welcome, and thank you for posting in the forum!

Thank you for the feedback! I will pass this along!

jesse · June 24, 2020, 1:21am

Looking forward to an update too. Thanks!

Josh-Lopez · June 24, 2020, 5:50pm

Ok I have talked to our developer team again! I have some good news. We made up our mind and we are going to open up our platform to allow for this but I do not have a current ETA on it yet (I sneaked it onto the developer to do list but the list is kind of long right now… Don’t tell @belltyler about this so I can keep my job ). We need to change our security/CORS rules around to make this happen.

Chris_B · July 9, 2020, 8:59pm

Thx @Josh-Lopez. Would you have an ETA on this? It’d be a HUGE win for me to have this! Thx

belltyler · July 10, 2020, 11:31pm

@Chris_B @jesse @joey

Hi guys, we just pushed an update that addresses this issue. You all should be able to embed your circle community in your site now.

If someone could confirm that this is working that would be great