search
Ctrlk

How to integrate your app as iframe in B2CORE

Learn how to integrate a third-party web application into B2CORE as an iframe, including server configuration, theme and language synchronization, and JWT-based authentication via the postMessage API

B2CORE supports embedding third-party web applications directly into the client UI via an iframe. When a custom menu item is configured with the Iframe behavior, B2CORE loads your application inside the interface, providing a seamless experience for clients without leaving the platform.

This guide covers two aspects: configuring the custom menu item in the B2CORE Back Office, and preparing your application to work correctly inside the B2CORE iframe.

hashtag
Prerequisites

Before proceeding, ensure the following:

circle-info

hashtag
Step 1. Configure your server to allow iframe embedding

By default, most web servers and frameworks prevent pages from being embedded in iframes on other domains. To allow B2CORE to load your application, you must configure the appropriate HTTP response headers on your server.

You need to set one or both of the following headers:

hashtag
Content-Security-Policy

The Content-Security-Policy header with the frame-ancestors directive controls which origins are allowed to embed your page. Set this header to include your B2CORE instance origin:

Content-Security-Policy: frame-ancestors 'self' https://portal.example.com

Replace https://portal.example.com with the actual origin of the B2CORE UI used by your clients. You can specify multiple origins separated by spaces if your application needs to be embedded across several B2CORE instances.

For more information, refer to the Content-Security-Policy documentation on MDNarrow-up-right.

hashtag
X-Frame-Options

The X-Frame-Options header is an older mechanism that achieves a similar result. If you use it, set it to ALLOW-FROM with your B2CORE origin:

circle-exclamation

The X-Frame-Options: ALLOW-FROM directive is not supported by all browsers. It is recommended to use the Content-Security-Policy header with the frame-ancestors directive as the primary mechanism and include X-Frame-Options only as a fallback for older clients.

For more information, refer to the X-Frame-Options documentation on MDNarrow-up-right.

hashtag
Step 2. Add a custom menu item in the B2CORE Back Office

To make your application accessible to clients, add a custom menu item with the iframe behavior:

1

Navigate to Promotion > Menu.

2

Click the eye icon in the General row to view the menu tree.

3

Click +Create in the upper-right page corner.

4

Fill in the required fields:

  • In the Name field, enter a unique name for the menu item.

  • In the Caption field, enter the label that clients will see in the menu.

  • In the External URL field, specify the URL of your application.

  • In the Icon field, specify the URL of an SVG icon (16x16 px, monochrome, transparent background).

  • In the Custom Behavior dropdown, select Iframe.

5

Configure optional restrictions if needed:

  • To limit visibility to specific verification levels, select the appropriate levels in the Verification Level Allowance dropdown.

  • To limit visibility to specific client types, select the corresponding types in the Client Type Allowance dropdown.

6

Enable the Visible checkbox to make the item appear in the menu.

7

Click Save to add the custom menu item.

When clients click this menu item, your application will load inside an iframe within the B2CORE UI.

circle-info

Two other behavior options are available for custom menu items: Same tab (opens the URL in the current browser tab) and New tab (opens the URL in a new browser tab). The iframe option is the only one that embeds your application within the B2CORE interface.

hashtag
Step 3 (optional). Implement the postMessage communication protocol

If your application needs to identify the authenticated B2CORE user, match the B2CORE UI theme, or follow the language selected by the user, you can implement the postMessage communication protocol described below. This step is optional — if your application does not require user authentication, theme synchronization, or language synchronization, you can skip it.

hashtag
Message reference

hashtag
Messages from your application to B2CORE

Message type
Description
Payload

embed-iframe-ready

Signals that the iframe has loaded and is ready to receive messages.

{ type: "embed-iframe-ready" }

embed-request-jwt-token

Requests a JWT authentication token from B2CORE.

{ type: "embed-request-jwt-token" }

hashtag
Messages from B2CORE to your application

Message type
Description
Payload

embed-theme-change

Sent whenever the B2CORE UI theme changes (and once immediately after embed-iframe-ready).

{ type: "embed-theme-change", theme: "dark-theme" | "light-theme" }

embed-language-change

Sent whenever the B2CORE UI language changes (and once immediately after embed-iframe-ready).

{ type: "embed-language-change", lang: "<language-code>" }

embed-jwt-token

Successful response to a token request.

{ type: "embed-jwt-token", token: "<jwt-string>", expiresAt: "<ISO-8601>" }

embed-jwt-token-error

Error response when token generation fails.

{ type: "embed-jwt-token-error", error: "<error-message>" }

The lang field contains a lowercase ISO 639-1 language code (for example, en, de, ar) matching the language currently selected in the B2CORE UI.

hashtag
Communication flow

The sequence of messages between your application and B2CORE follows this pattern:

1

Signal readiness. When your page finishes loading, send the embed-iframe-ready message to B2CORE. This tells the host that your application is ready to receive data.

2

Receive the current theme. B2CORE responds with embed-theme-change containing the current theme (dark-theme or light-theme). Apply the theme to your UI. You will also receive this message whenever the user switches themes.

3

Receive the current language. B2CORE also responds with embed-language-change containing the language code currently selected in the B2CORE UI (for example, en or ar). Apply the corresponding locale to your UI. You will receive this message again whenever the user changes the language.

4

Request an authentication token. When you need to identify the current user, send embed-request-jwt-token. B2CORE responds with either embed-jwt-token (containing the JWT and its expiration time) or embed-jwt-token-error if token generation fails.

5

Refresh the token before expiry. The JWT has an expiration time provided in the expiresAt field (ISO 8601 format). Request a new token before the current one expires to maintain uninterrupted access.

hashtag
Code example

A complete JavaScript snippet you can include in your application:

circle-exclamation

Replace the B2CORE_ORIGIN value with the actual origin of your B2CORE instance (for example, 'https://portal.example.com') in production. Using '*' is acceptable during development only, as it allows any origin to communicate with your application.

hashtag
TypeScript type definitions

If your application is built with TypeScript, you can use the following type definitions:

hashtag
Step 4 (optional). Validate the JWT token

The JWT token issued by B2CORE can be validated against the JSON Web Key Set (JWKS) endpoint exposed by the B2CORE API (Admin Panel backend). This is typically the API/admin domain, not the client-facing UI domain:

Use this endpoint to retrieve the public keys needed to verify the token signature. Most JWT libraries support JWKS-based validation out of the box.

circle-info

For manual inspection during development, you can decode and verify JWT tokens using the JWT decoder toolarrow-up-right.

circle-check

See also

How to add custom menu items

How to configure a menu in the B2CORE UI

Menu

PreviousHow to integrate SalesforceNextHow to configure settings for mobile app downloads

Last updated

Was this helpful?