Do third-party logins work inside an iframe?

Question 1

This approach may be a little problematic but doable. Many of the authenticate provider that use OAUTH for example (Google, Facebook, OpenID) will redirect users to a set URL after they have logged in and authenticated the application. You'll have to figure out a way to get them back to the page they came from (the one with the iframe). I am guess you can figure out where your iframe is being hosted (window.top, window.parent, i.e) save that information in the SESSION or a COOKIE, then return the user back to the page once they are done authenticating.

Question 2

An iframe is essentially just a smaller browser window. Since your question doesn't relate to transfering messages to and from the iframe, I'd say the difficulty is exactly the same as implementing those functionalities normally. Either way, you get the user to the auth provider, they log in, and somehow get back to what they were doing, whether it is a full browser window or in an iframe. However, if the iframe is very small, they should probably open a new window.

Question 3

It could be a problem. Displaying authentication dialogs in an iframe is generally seen as a security risk, and many authentication providers explicitly send a X-Frame-Options: sameorigin header with their authentication pages, preventing compliant browsers (read: nearly all modern browsers) from rendering their authentication pages within an iframe. Looking around, it seems that at least Facebook, Twitter and Google all disallow authentication inside iframe (this list is certainly not exhaustive). This probably could be taken into consideration by popping up a new browser window for the actual authentication flow, but likely won't be possible inside the iframe itself.

Description of the clickjacking exploit that lead to this situation: http://javascript.info/tutorial/clickjacking

Reference documentation for the X-Frame-Options header: http://www.rfc-editor.org/rfc/rfc7034.txt