[moi2388]

The flow is supported by the first party, but the login goes through a third party gateway which sends a token to the callback uri.

I think the previous poster was responding to this:

“I'm not sure what people are doing now, because you can't retain state.”

They do OAuth.

[andrewmcwatters]

That's not what I'm talking about. I'm talking about scenarios where the authentication flow is not explicitly supported by the first party. It just exists through an iframe.

There is no replacement. It's just not possible anymore. OAuth doesn't address this.

[immibis]

Yes, that's right. You can't steal credentials from another site without their permission.

[andrewmcwatters]

No... that's not how that mechanism was ever used. The authentication flow I'm describing was used by companies to embed login flows for functionality that was delivered by iframe as companion behavior next to the first-party site.

[moi2388]

OAuth. If you take Google as example, You let them sign in with Google through OAuth and then query the user data through the APIs. On-behalf-of/authorization code grant flow.

You can’t do an iframe, but you can still get the data if it’s supported by their api and yours.

Which is the way it should be, imo.