[Openid-specs-ab] Third-Party Cookies and Front Channel Logout
Prateek.Mishra at oracle.com
Mon Aug 29 20:09:09 UTC 2016
Agreed, Torsten, we would like to see a solution to the problem as well.
I believe that the “OpenID Session Management 1.0” specification suffers from the same problem,
but I have personally not worked with this specification.
Mike - could we please add this issue to the next AB call agenda?
> On Aug 29, 2016, at 8:48 AM, torsten at lodderstedt.net wrote:
> Hi Pratek,
> we are facing the same problem. Describing it in the spec is definitely the minimum. Better would be to come up with a viable solution.
> best regards,
> Sent by MailWise <http://www.mail-wise.com/installation/2> – See your emails as clean, short chats.
> -------- Ursprüngliche Nachricht --------
> Von: Prateek Mishra via Openid-specs-ab <openid-specs-ab at lists.openid.net>
> Gesendet: Friday, August 26, 2016 02:56 AM
> An: openid-specs-ab at lists.openid.net
> Betreff: [Openid-specs-ab] Third-Party Cookies and Front Channel Logout
> The OIDC Front Channel Logout draft specification uses HTTP GETs to RP URLs that clear login state.
> http://openid.net/specs/openid-connect-frontchannel-1_0.html <http://openid.net/specs/openid-connect-frontchannel-1_0.html>
> This typically takes the form of an OP loading a page with <iframe src="frontchannel_logout_uri”> or <img src=“front_channel_logout_uri”>
> However, modern browsers allow users to “block third party cookies” and this setting means that the logout at the RP will fail (unable to remove previously
> established RP cookie). Our implementation and test teams have found this to be a really confusing situation for end-users.
> Have implementors had any success with alternatives or work-arounds? At a minimum we should capture this behavior in the draft specification.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab