Is there a way to disable the X-Frame-Options header in the WSO2IS responses? We need to integrate one application within another with the use of an iframe. Both applications are using WSO2IS for authentication though the one in the iframe will redirect to authenticate with OpenID Connect but it should return back immediately since the user has been authenticated by the parent application. Now as it is, I get X-Frame-Options: DENY headers and since the WSO2IS is located in a different domain than the application. Any suggestions?
After a little thought and since there is no answer yet, I believe I can answer my own question. Since it seems that every SSO system out there will serve the X-Frame-Options header with a DENY value, the only solution would be to pass the OpenID Connect Code from the parent application to the iframe child application as a parameter. In that way, the redirection step is not needed and thus the nested/child/whatever application can make the requests for the token and user info. I don't know if this is a nice way to do it, but it seems the only way that will work with WSO2IS or any other OpenID Connect based SSO system.