I've got some javascript code in an application that automatically requests through an iframe and hardcoded credentials an id_token and access_token to an openid connect/oauth2 endpoint.
The problem is that, although the user does not get to see the form because it happens silently, google smart lock prompts the user to save the credentials, which is undesirable (mainly because they are hardcoded and don't need to be remembered, and because we don't want users to see this).
Is there any way to prevent from code to google smart lock from displaying or any workaround to avoid this?
This is the code that gets executed with the hardcoded credentials.
TokenManager.prototype.login = function(username, password, rememberMe) {
var mgr = this;
var formHtml = '<form name="form" id="loginForm" method="post" style="display: none"></form>';
var form = $(formHtml).appendTo("body");
form.attr("action", this.settings.loginUrl + '?signin=' + this.signinId());
form.attr("target", this.settings.frameName);
var a = $('<input name="idsrv.xsrf" type="hidden">').appendTo(form);
var u = $('<input name="username" id="username" type="text">').appendTo(form);
var p = $('<input id="password" name="password" type="password">').appendTo(form);
var r = $('<input type="checkbox" id="rememberMe" name="rememberMe">').appendTo(form);
var btn = $('<button type="submit" style="display: none"></button>').appendTo(form);
u.val(username);
p.val(password);
r.val(rememberMe);
var checked = '';
if (rememberMe) {
checked = 'checked';
}
r.attr('checked', checked);
a.val(getCookie(TokenManager.xsrfKey));
var oauth = new OAuthClient(this.settings);
var frame = new FrameLoader('', this.settings.frameName);
frame.load(function (data) {
form.remove();
if (data.type === 'login') {
setCookie(TokenManager.xsrfKey, data.model.antiForgery.value, 1);
setCookie(TokenManager.signInKey, data.signin, 1);
this.showLogin(data.model, username);
} else
if (data.type === 'tokenCallback') {
var result = oauth.readImplicitResult(data.hash);
if (!result.error) {
var token = Token.fromOAuthResponse(result);
this.saveToken(token);
this.callTokenObtained();
}
} else {
if (data.type === 'error') {
var request = oauth.createImplicitRequest();
frame = new FrameLoader(request.url, mgr.settings.frameName);
frame.load(function(d) {
if (d.type === 'login') {
setCookie(TokenManager.signInKey, d.signin, 1);
setCookie(TokenManager.xsrfKey, data.model.antiForgery.value, 1);
setTimeout(function() {
mgr.login(username, password, rememberMe);
}, 0);
} else
if (d.type === 'tokenCallback') {
var result = oauth.readImplicitResult(d.hash);
if (!result.error) {
var token = Token.fromOAuthResponse(result);
mgr.saveToken(token);
mgr.callTokenObtained();
}
}
});
}
}
}.bind(this), function() {});
btn.click();
}
and this is the FrameLoader.js that is being used
define(['jquery'], function ($) {
function FrameLoader(url, frameName) {
this.url = url;
this.frameName = frameName;
}
FrameLoader.prototype.load = function(success, error) {
var frameHtml = '<iframe name="' + this.frameName + '" style="display:none"></iframe>';
var frame = $(frameHtml).appendTo("body");
function cleanup() {
window.removeEventListener("message", message, false);
if (handle) {
window.clearTimeout(handle);
}
handle = null;
frame.remove();
}
function cancel(e) {
cleanup();
if (error) {
error();
}
}
function message(e) {
if (handle && e.origin === location.protocol + "//" + location.host) {
cleanup();
if (success) {
success(e.data);
}
}
}
var handle = window.setTimeout(cancel, 10000);
window.addEventListener("message", message, false);
if (this.url)
frame.attr("src", this.url);
};
return FrameLoader;
});