[Openid-specs-ab] 3rd party and SameSite cookies (was Browser Interactions STC - Meeting Notes - 2021-05-05)

Brian Campbell bcampbell at pingidentity.com
Fri May 7 21:37:14 UTC 2021

My apologies for joining this call late and in the middle of discussions on
a topic that I'm hoping to reconcile understanding on. I said I'd send a
message seeking clarification on that topic. So here is that message. But
I'm struggling to articulate it so please bear with me.

In identity protocols, a cross-site navigation resulting in a POST request
is typically happens by the first site returning an HTML page that has a
form that is auto-submitted via javascript to the second site. That's how
SAML Post binding works. And so does the OIDC/OAuth form post response mode

(As best I understand it anyway) a previously set cookie with SameSite=None
will be sent by the browser on such a top-level cross-site POST request.
Some folks have suggested that that will change with 3rd party cookies
going away and that even a SameSite=None cookie will no longer be sent in
that situation. But in my mental model of this stuff, the situation will be
unchanged by 3rd party cookies going away - it's a cross-site request but
because it is a top-level navigation the cookies are 1st party. SameSite
enforcement is in place so SameSite=None cookies will be sent. But it's not
3rd party so is not impacted by disappearance or partitioning of 3rd party

Anyway, that's what I'm hoping Sam can provide clarification on. Mostly for
the benefit of my own understanding but also for the benefit of the group
here as recent discussions have suggested that folks have divergent
understanding and expectations of things.

That behaviour changing would be problematic, for example and as others
have pointed out, because OIDC RPs receiving an ID token via the form post
response mode need the 'nonce cookie
<https://openid.net/specs/openid-connect-core-1_0.html#NonceNotes>' value
(which ties the ID token to the browser the SSO flow was initiated on) at
that point in validating the token. Maybe further confusing things is that
at least in Chrome there was a temporary(?) exception made for the nonce
cookie case with the rollout of the SameSite default change to Lax - the
"Lax + POST mitigation" section at
https://www.chromium.org/updates/same-site/faq and it looks like there's an
attempt to capture that in the coming update to RFC 6265

On Wed, May 5, 2021 at 12:49 PM Tim Cappalli via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:

> Hey all,
> Here are the meeting notes from today's special topic call. Please feel
> free to add or correct anything.
> openid / connect / wiki / Browser Interactions Special Topics Call -
> 20210505 — Bitbucket
> <https://bitbucket.org/openid/connect/wiki/Browser%20Interactions%20Special%20Topics%20Call%20-%2020210505>
> Next meeting is in two weeks on May 19th (UTC).
> Tim
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20210507/313f6324/attachment-0001.html>

More information about the Openid-specs-ab mailing list