I have the case where I need to embed an iFrame into my page. The iFrame loads another page from the same domain and makes REST calls that require authentication.
The login procedure is handled in the main page and results in an access token. I need to pass the access token to the page loaded inside the iFrame. I thought of the following solutions:
- Store in a cookie: Would work since the domain is the same but storing access tokens in cookies is bad practice.
- Pass as URL param to the page in the iFrame: This feels insecure. URLs might be logged and are just too easily accessible that way.
- Pass via message API: I can’t find any flaws here but have not read a lot about this solution.
I try to keep the procedure between the two webpages.
Is any of these solutions viable or is an additional authentication authorization the only “right” way?