[Openid-specs-ab] Third-Party Cookies and Front Channel Logout

Mike Jones Michael.Jones at microsoft.com
Mon Aug 29 21:00:29 UTC 2016

Sure, sounds like a good discussion to have.  The next call is at 7am Pacific time on Thursday.

I know that we’ve talked about this before and my memory is that if the user has turned off third party cookies, that implementations are unlikely to work.  But a fair point is that we haven’t captured this information and the causes behind it in the specs to date.  I agree that, at the minimum, we should do this.

                                                                -- Mike

From: Prateek Mishra [mailto:Prateek.Mishra at oracle.com]
Sent: Monday, August 29, 2016 1:09 PM
To: torsten at lodderstedt.net
Cc: openid-specs-ab at lists.openid.net; Mike Jones
Subject: Re: [Openid-specs-ab] Third-Party Cookies and Front Channel Logout

Agreed, Torsten, we would like to see a solution to the problem as well.

I believe that the “OpenID Session Management 1.0” specification suffers from the same problem,
but I have personally not worked with this specification.

Mike - could we please add this issue to the next AB call agenda?


On Aug 29, 2016, at 8:48 AM, torsten at lodderstedt.net<mailto:torsten at lodderstedt.net> wrote:

Hi Pratek,
we are facing the same problem. Describing it in the spec is definitely the minimum. Better would be to come up with a viable solution.
best regards,
Sent by MailWise<http://www.mail-wise.com/installation/2> – See your emails as clean, short chats.

-------- Ursprüngliche Nachricht --------
Von: Prateek Mishra via Openid-specs-ab <openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>>
Gesendet: Friday, August 26, 2016 02:56 AM
An: openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>
Betreff: [Openid-specs-ab] Third-Party Cookies and Front Channel Logout

The OIDC Front Channel Logout draft specification uses HTTP GETs to RP URLs that clear login state.


This typically takes the form of an OP loading a page with <iframe src="frontchannel_logout_uri”> or <img src=“front_channel_logout_uri”>

However, modern browsers allow users to “block third party cookies” and this setting means that the logout at the RP will fail (unable to remove previously
established RP cookie). Our implementation and test teams have found this to be a really confusing situation for end-users.

Have implementors had any success with alternatives or work-arounds? At a minimum we should capture this behavior in the draft specification.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160829/d231222a/attachment-0001.html>

More information about the Openid-specs-ab mailing list