OIDC login works via direct URL, but fails with redirect loop when loaded in iframe
🔍Authentication❌Unsolved🪵Login❓Question🛡️Authorization
Hi Zitadel team,
I’m running into an issue with OIDC authentication when an application is loaded inside an iframe.
Scenario:
App A hosts an iframe.
App B (OIDC-protected) is loaded inside that iframe.
Behavior:
When App B is opened directly in the browser, login works fine.
When the same App B is loaded inside an iframe, after login it ends in a redirect loop and shows “redirected you too many times”.
Additional info:
Another iframe-based app under the same Zitadel org works fine.
Only this specific embedded app fails.
Apps are on different subdomains and served over HTTPS.
Question:
Is this expected behavior due to iframe or third-party cookie restrictions, SameSite settings, or Zitadel session handling?
Are there recommended Zitadel configurations or supported patterns for OIDC inside iframes?
Thanks in advance.
I’m running into an issue with OIDC authentication when an application is loaded inside an iframe.
Scenario:
App A hosts an iframe.
App B (OIDC-protected) is loaded inside that iframe.
Behavior:
When App B is opened directly in the browser, login works fine.
When the same App B is loaded inside an iframe, after login it ends in a redirect loop and shows “redirected you too many times”.
Additional info:
Another iframe-based app under the same Zitadel org works fine.
Only this specific embedded app fails.
Apps are on different subdomains and served over HTTPS.
Question:
Is this expected behavior due to iframe or third-party cookie restrictions, SameSite settings, or Zitadel session handling?
Are there recommended Zitadel configurations or supported patterns for OIDC inside iframes?
Thanks in advance.
