Currently, when the Iframe widget is configured with protected URL Type, it performs the OAuth flow within the embedded Iframe by default. However, many authentication services configure Content-Security-Policy or X-Frame-Options header to prevent loading the login page within an iframe as a security measure to prevent credentials leakage. This renders the iframe widget with protected url type unusable for many use cases. The only exception to this is if the Authorization URL contains login.microsoftonline.com . In this case, Port opens the login window in a popup to perform the login securely and to work around the "X-Frame-Options: Deny" header set by Microsoft. In our particular scenario, we have internal Keycloak used as our IAM solution. The default login method in Keycloak is to login via Entra ID ( login.microsoftonline.com ). However, as the Keycloak itself has its own domain, the popup is not opened as the flow is started by navigating to Keycloak (rather than Entra ID directly), and the browser rejects to load the Entra ID login page due to headers set by Microsoft. This is a request to make the popup/embedded behavior configurable. Ideally, there would be a toggle to choose whether the authentication window should be opened in embedded or popup mode.