Post SSO: Cookies to be sent via Request Method

When I call the SSO through the API, it doesn’t work. It said the cookies and javascript are not enabled.

     client.request
    .post(ssoUrl, {
      headers: {
        "Content-Type": "application/json",
        Accept: "*/*",
        "User-Agent": "Web/2.0",
      },
      body: JSON.stringify(body),
    })
    .then(
      function (data) {
        console.log("=================SSO Response=================", data);
        return data;
      },
      function (error) {
        console.log("=================SSO Error=================", error);
        return error;
      }
);

When I call the SSO through the form submit, it works. It set the token to the cookies.

document.getElementById(`dashboard-targetUrl`).value = dashboardUrl;
document.getElementById(`dashboard-ssoProvider`).value = ssoProvider;
document.getElementById(`token`).value = token;
document.getElementById(`dashboardForm`).submit();

Is there any way to get the cookies after the form approach, because the form approach works?

Hi @Nhat_Nguyen

According to what I read here, it appears like you are looking at providing single sign on experience for the app within Freshdesk? Or single sign on experience to log into freshdesk itself?

Do you mind helping us understand the problem in a different way where we can picture it in ways we can help?

See what can cause confusions in Technical Discussions

See what information you can provide to effective solutioning

Hello,

I’m implementing the SSO for another app integrated with Freshdesk. The problem is not the SSO, the problem is the Request Method cannot set the Cookie. It throws the error cookies and javascript are not enabled. This is the response file responseFromSSOAPI.zip (4.1 KB)

When I submit by the form approach, it sets the cookie successfully. However, when I call other APIs, it doesn’t send the cookie automatically. So since the form submission work, can I access the cookie somehow?

Nhat Nguyen

1 Like

Can you describe the end user flow? How do they use the app?

They go into the App Page, which has the iframes of another app, the SSO flow immediately triggers, they will be logged in and access another app through embedded iframe.

I want to call some APIs to another app to get some information, and when the API needs to be authorized through SSO.

1 Like

The app on the freshworks platform that renders in the iframe in the browser has the following restrictions for a ticket sidebar:

allow-scripts → This allows you to invoke await app.initialized() and access client. Essentially any other Javascript.
allow-forms → This allows forms submissions to be allowed.
allow-same-origin with src="subdomain.app-platform.com" → This enables the freshworks app to use usual browser APIs. Since the src mentioned in iframe is different origin API requests sent from the freshworks app will be treated as cross-origin requests resulting API calls to be blocked in the app’s frontended if used libraries like axios or superagent. To help developers out with this restriction, app platform provides Request Method to make API calls.

allow-popups,allow-modals ,allow-downloads are others not helpful for our discussion.

Coming to your requirement – as I understand it — As soon as the app renders within the Freshdesk, it should trigger SSO flow and access different content in the iframe. Authorized tokens would be needed to consume an API you want from the app.

The app is rendered from subdomain.app-platform.com will treat the cookies set after SSO as third-party cookies set (even with Set-Cookie: session=your_session; SameSite=None; Secure ) on subdomain.freshdesk.com. Because the iframe is restricted by sandbox attribute without allow-top-navigation (can only get not set with this attribute) with different origins of parent and iframe src, the app cannot access cookies to be sent along with the requests via Request Method (Or platform should explore a way to accomplish it and make it available for the app developers).

I am not a expert, but here were there references I’ve used to extend help:

3 Likes

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.