https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42719 --- Comment #9 from David Cook <dcook@prosentient.com.au> --- If we look at OIDC, it does outline some information about "Initiating Login from a Third Party": https://openid.net/specs/openid-connect-core-1_0.html#ThirdPartyInitiatedLog... Okta itself refers you to the OIDC docs: https://help.okta.com/en-us/content/topics/apps/apps_app_integration_wizard_... It looks like X-FRAME-OPTIONS is what blocks the iframe clickjacking in modern browsers... And my testing for putting it into something like an <img> actually only failed because of using localhost for testing... For Okta, wouldn't it make sense to create a "initiate_login_uri" that takes the "iss" parameter, checks it against the Koha database, and then prompts the user saying "Issuer <iss> is initiating login. Would you like to proceed?" and then go off that? -- You are receiving this mail because: You are watching all bug changes.