Use cockpit session to authenticate other webapps

[L1800Turbo]

Hello,

as I understood, embedding external webapps is currently not supported. I saw #12269 or #19051
But I wasn't able to get this example running for the mentioned reasons that iframe.src is not allowed. Playing with content-security-policy didn't help so far.

So my next approach was to at least offer a link to the external webapp and make the external app available for the client, here I'd like to login into these services by a token, so that there's no additional login necessary.
Getting the login of cockpit for this would be great, as cockpit is able to do an auto-login with the current logged Active Directory user.
I didn't find an example for this, nor a documentation, so far.
In gbraad-redhat/podman-cockpit-desktop#3 it seems to face problems logging in into cockpit, but this works out of the box.

That brings me to my questions:

• Is there any solution to embedding an https webpage into such a mentioned stream? Maybe I just didn't find the right security-policy so far..
• Is it possible to use the cockpit login for other webapps by http auth or do I need to implement something in front of the other webapps like oauth?

Thank you!

[jelly]

Reading the first issue, it doesn't say you can't embed a web page in Cockpit it won't integrate nicely however. You can turn off most of content-security-policy via manifest.json. What you might want to embed might set X-Frame-Options disallowing embedding it in an iframe.

Regarding authentication, Cockpit uses PAM for auth so I don't fully see how that can be re-used for other applications. We have some documentation here https://github.com/cockpit-project/cockpit/blob/main/doc/authentication.md

[L1800Turbo]

Thank you!
As of the authentication I now understand, why I didn't find the documentation. I had some wrong assumptions in mind...

For the integration: Yes, I won't look nice, but might be a proper workaround for some sites.

For testing I went back to a simple hello world web server to make sure there are no embedding disagreements from the site itself.

I got it to this basic example now:

<head>
   <script type="text/javascript" src="../base1/cockpit.js"></script>
    <link rel="manifest" href="./manifest.json" />
</head>
<body>
<iframe id="luem" src="" width="1200" height="800"></iframe>
 <script type="text/javascript">
window.onload = function () {
    var iframe = document.getElementById("luem");

    var channel = cockpit.channel({
        payload: "http-stream2",
        binary: true,
        address: "localhost",
        port: 91,
        method: "GET",
        path: "/",
    });

    channel.addEventListener("ready", function (event, options) {
        var uri = cockpit.transport.uri("channel/" + cockpit.transport.csrf_token);
        var id = channel.id;
        var url = uri + "/" + id
        console.log('die URL ist: ' + url);
        iframe.src = url;
    });
};
</script>
</body>

In the manifest.json I tried to include every unsafe parameter (not every param at every time, I did some tests), also it without 'self' in it:

{
    "version": 0,

    "tools": {
        "portainer": {
            "label": "Test Embedded",
            "path": "embedded.html"
        }
    },

    "content-security-policy": "default-src 'self' 'unsafe-inline' 'unsafe-eval' 'unsafe-hashes'"
}

But the browser (tried Chrome and Firefox) still seems to be unsatisfied.
For example chrome throws multiple of these errors:

updates.js:11 Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self' https://server:9090". Either the 'unsafe-inline' keyword, a hash ('sha256-xxx'), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.
Refused to frame 'wss://server:9090/' because it violates the following Content Security Policy directive: "default-src 'self' https://server:9090". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.

If I understand it correctly, the parameter 'unsafe-inline' isn't recognized. Do I need to place it somewhere else?