I’m looking to have an experience where new users on my platform can sign up via our sign up form (Memberstack) and then be able to interact with the community within an iframe on the platform (without having to kick them out to the subdomain to complete registration).
Currently, after users sign up they are presented with an iFrame with an embedded space in the onboarding flow: https://tinyurl.com/ycr8e7vt. I was hoping that the user could auth on this screen via the iFrame and then see the space. However after pressing “Continue with Silver Lining”, users see the following.
Users can sign in with Circle within the iFrame (but it embeds the entire community area not just the space I want)
If I change the space settings to be public and the user tries to comment or like, they are pushed to the subdomain (tech.getsilverlining.com) in a new tab to Sign in/up and that works fine. The user can then return to our platform and the embed works as expected.
So it seems like the iFrame is playing with the SSO somehow. Is this a bug with the SSO integration on Memberstack side or Circle’s?
Thx @Josh-Lopez. I asked Circle the same question & this is what they said fyi:
Here’s my best guess as to why this is happening: MemberStack on their end doesn’t (yet) support the ability for the log in page to be embedded inside an iFrame. I’m CC’ing Tyler from Memberstack in case there’s something they can do about it.
This is because their “X-Frame-Options” is set to “sameorigin”, i.e. only memberstack.com URLs can embed a Memberstack iFrame. This error shows up in the console as well, and can be replicated on a JSFiddle etc:
* *
Deciding whether or not to make this possible is 100% Memberstack’s decision, but just FYI, what we do on our end is remove the “X-Frame-Options” header completely to make this possible.
I talked to our dev team and for security reasons they are not allowing this. Your reply above is correct. We are currently weighing our options and coming up with solutions for this. I will let you know how this goes but do not have an ETA yet.
Ok I have talked to our developer team again! I have some good news. We made up our mind and we are going to open up our platform to allow for this but I do not have a current ETA on it yet (I sneaked it onto the developer to do list but the list is kind of long right now… Don’t tell @belltyler about this so I can keep my job ). We need to change our security/CORS rules around to make this happen.