Token brokering in parent frame on behalf of child frame

We claim: 1. An apparatus, comprising: at least one memory adapted to store run-time data, and at least one processor that is adapted to execute processor-executable code that, in response to execution, enables the apparatus to perform actions, including: initiating authentication of a broker with an identity provider, wherein the broker is a first application that is executing in a top-level frame; receiving, at the broker, from a second application that is executing on a first descendent frame that is a descendant frame of the top-level frame, a token request; via the broker, requesting a first token from the identity provider on behalf of the second application, wherein the first token is associated with an authorization of secure delegated remote access of at least one resource by the second application; receiving, at the broker, from the identity provider, the first token; and via the broker, providing the first token to the second application. 2. The apparatus of claim 1 , wherein the first descendent frame is a child frame of the top-level frame. 3. The apparatus of claim 1 , wherein the first descendent frame is an inline frame of the top-level frame. 4. The apparatus of claim 1 , wherein the first token is an access token. 5. The apparatus of claim 1 , wherein initiating the authentication of the broker includes: redirecting a user from the top-level frame to the identity provider; and receiving, via the broker, an authorization code from the identity provider. 6. The apparatus of claim 1 , wherein the at least one resource includes an authenticated application programming interface (API) call. 7. The apparatus of claim 1 , wherein the first token is an identity token that identifies a user. 8. The apparatus of claim 1 , wherein requesting the first token from the identity provider is accomplished via a browser that prohibits third-party cookies. 9. The apparatus of claim 1 , the actions further including: requesting, via the broker, a refresh token from the identity provider; and receiving the refresh token from the identity provider. 10. The apparatus of claim 9 , wherein requesting the first token from the identity provider includes making the request for the first token from the identity provider such that the request includes the refresh token. 11. A method, comprising: sending authentication communication from a broker to an identity provider, wherein the broker is a first application that is executing in a top-level frame; receiving, at the broker, a token request from a second application that is executing on a first descendent frame that is a descendant frame of the top-level frame; communicating a token request from the broker to the identity provider on behalf of the second application, wherein the token request is a request for a first token that is associated with an authorization of secure delegated remote access of at least one resource by the second application; receiving, at the broker, the first token from the identity provider; and communicating the first token from the broker to the second application. 12. The method of claim 11 , wherein sending the authentication communication includes: redirecting a user from the top-level frame to the identity provider; and receiving, via the broker, an authorization code from the identity provider. 13. The method of claim 11 , wherein the descendant frame has provided authorization to the top-level frame to act as a broker on behalf of the first descendant frame. 14. The method of claim 11 , further comprising: requesting, via the broker, a refresh token from the identity provider, and receiving the refresh token from the identity provider. 15. The method of claim 14 , wherein requesting the first token from the identity provider includes making a request for the first token from the identity provider such that the request includes the refresh token. 16. A processor-readable storage medium, having stored thereon processor-executable code that, upon execution by at least one processor, enables actions, comprising: beginning a communication of authentication of a token broker application with an authorization server, wherein the token broker application is executing in a top-level frame; receiving, at the token broker application, a token request from an embedded application that is executing on a first descendent frame that is a descendant inline frame of the top-level frame; via the token broker application, requesting an access token from the authorization server on behalf of the embedded application, wherein the access token is associated with an authorization of secure delegated remote access of at least one resource by the embedded application; receiving, at the token broker application, from the authorization server, the requested access token; and via the token broker application, providing the requested access token to the embedded application. 17. The processor-readable storage medium of claim 16 , wherein beginning the communication of the authentication of the token broker application includes: redirecting a user from the top-level frame to the authorization server, and receiving, via the token broker application, an authorization code from the authorization server. 18. The processor-readable storage medium of claim 16 , wherein the at least one resource includes an authenticated application programming interface (API) call. 19. The processor-readable storage medium of claim 16 , the actions further comprising: requesting, via the token broker application, a refresh token from authentication server; and receiving the refresh token from the authentication server. 20. The processor-readable storage medium of claim 19 , wherein requesting the access token from the authentication server includes making a request for the access token from the authorization server such that the request includes the refresh token.