Subject

OAuth BroadcastChannel callback not delivered when Adobe Express is embedded via SDK iframe

Summary

OAuth authentication for Adobe Express add-ons works correctly when Adobe Express is accessed directly at express.adobe.com, but fails consistently when the same add-on is used inside the Adobe Express SDK embedded in an iframe.

The failure occurs because the Adobe-owned OAuth redirect page uses BroadcastChannel to return the OAuth result, and this message is not delivered to the add-on when Express runs inside a third-party iframe.

This appears to be a platform limitation related to browser browsing-context isolation rather than an add-on implementation issue.

Environment

• Adobe Express Add-on

• OAuth via Adobe-provided redirect page

• Adobe Express accessed in two modes:

  1. Top-level: https://express.adobe.com

  2. Embedded: Adobe Express SDK inside <iframe> on a custom website

• Browsers tested: Chrome, Edge (latest)

Expected Behavior

The OAuth flow should behave consistently in both environments:

1. User clicks Sign In in the add-on

2. OAuth popup opens

3. After successful login, Adobe redirect page posts OAuth result

4. Add-on receives OAuth response and completes login

Actual Behavior

✅ When Express is opened directly

• OAuth popup opens

• Adobe redirect page executes:

   

  new BroadcastChannel("adobe-express-addons-oauth-channel") .postMessage(oAuthResponse);

• Add-on successfully receives the OAuth response

❌ When Express is embedded via SDK iframe

• OAuth popup opens successfully

• Adobe redirect page executes the same BroadcastChannel code

• Add-on never receives the OAuth response

• No error is thrown; message is silently dropped

Key Technical Observation

• The OAuth redirect page and its BroadcastChannel implementation are Adobe-owned and not customizable

• BroadcastChannel delivery fails when:

  • Sender is a top-level window

  • Receiver is inside a cross-origin, third-party iframe

• This matches browser-enforced browsing context group isolation

As a result, no listener exists in the same context group, and the OAuth response cannot be delivered.

Why this blocks SDK usage

Because:

• The redirect page cannot be modified

• BroadcastChannel cannot cross iframe context groups

• The add-on cannot receive OAuth data

➡️ OAuth-based sign-in is effectively unusable for add-ons when Express is embedded via the SDK

This makes it impossible to support authenticated add-on functionality inside the SDK environment.

Request / Questions for Adobe

We would appreciate clarification on one of the following:

1. Is OAuth authentication officially unsupported for add-ons inside the Express SDK iframe?

2. Are there plans to update the OAuth redirect mechanism to use:

   • window.postMessage, or

   • an SDK-provided auth callback API?

3. Is there an alternative recommended authentication approach for SDK-embedded add-ons?

4. Is this a known limitation that should be documented for add-on developers?

Why this matters

Many partners embed Adobe Express via the SDK to integrate add-ons into their own platforms.
Without a working authentication mechanism, add-ons that require login cannot function in this environment.

Minimal Reproduction (available on request)

We can provide:

• Sample add-on

• OAuth setup

• Embedded SDK page

• Steps to reproduce consistently

Closing

This does not appear to be an implementation error but rather a gap between the OAuth redirect design and the SDK embedding model.
Guidance or platform support from Adobe would be greatly appreciated.