[andrewmcwatters]

No... that's not how that mechanism was ever used. The authentication flow I'm describing was used by companies to embed login flows for functionality that was delivered by iframe as companion behavior next to the first-party site.

[moi2388]

OAuth. If you take Google as example, You let them sign in with Google through OAuth and then query the user data through the APIs. On-behalf-of/authorization code grant flow.

You can’t do an iframe, but you can still get the data if it’s supported by their api and yours.

Which is the way it should be, imo.