Guys I direly need your help
Unanswered
dro_v4.2.0 posted this in #help-forum
Right so i am making a tool for patients in next and this tool is housed under and served as iframe on another website.
I have an issue where I want to use the jwt that the housing site gives out to extract user info that in turn will auto authenticate the user to give em access to the said tool. My goal is to have the user get access to stored data in the tool without having to login twice .
So the workflow seems in order but fails to then authenticate after extracting the user info
I am a newbie in next but I try
Please help, anyone ?
I have an issue where I want to use the jwt that the housing site gives out to extract user info that in turn will auto authenticate the user to give em access to the said tool. My goal is to have the user get access to stored data in the tool without having to login twice .
So the workflow seems in order but fails to then authenticate after extracting the user info
I am a newbie in next but I try
Please help, anyone ?
1 Reply
Poodle
Iframe + JWT + cross-origin auth is tricky — a few things to check:
1. How are you receiving the JWT from the parent site? If it's via
2. Where is the JWT validation happening? It should be server-side (API route or middleware), not client-side. Extract the user info there, then create your own session/cookie.
3. Cookie issues in iframes: This is probably your blocker. Modern browsers block third-party cookies by default. If your tool sets a session cookie, the browser might be rejecting it because you're in an iframe on a different domain. Check your cookies have:
-
-
- And the parent site must be HTTPS
4. Quick debug: Open browser devtools → Application → Cookies while in the iframe. Are your cookies actually being set?
Can you share how the JWT is being passed to your iframe and what your auth flow looks like after you extract the user info? That'll help narrow down where it's failing. @dro_v4.2.0
1. How are you receiving the JWT from the parent site? If it's via
postMessage, make sure you're verifying the origin. If it's via URL params, that works but be careful about security.2. Where is the JWT validation happening? It should be server-side (API route or middleware), not client-side. Extract the user info there, then create your own session/cookie.
3. Cookie issues in iframes: This is probably your blocker. Modern browsers block third-party cookies by default. If your tool sets a session cookie, the browser might be rejecting it because you're in an iframe on a different domain. Check your cookies have:
-
SameSite=None-
Secure=true- And the parent site must be HTTPS
4. Quick debug: Open browser devtools → Application → Cookies while in the iframe. Are your cookies actually being set?
Can you share how the JWT is being passed to your iframe and what your auth flow looks like after you extract the user info? That'll help narrow down where it's failing. @dro_v4.2.0