[Openid-specs-ab] Issue #1003: Document possible impacts of disabling third-party cookies on front-channel logout (openid/connect)

Nick Roy nroy at internet2.edu
Wed Aug 31 19:41:14 UTC 2016


Isn't enabling SLO without a guarantee of universal logout dangerous?  
People will walk away from browsers with an expectation that they've 
logged out.  I don't want to undermine things, but I worry about the 
security implications and the difficulty of user education in shared 
environments.

Best,

Nick

On 8/31/16 1:28 PM, Filip Skokan wrote:
> In those cases RP logout will not be performed as reported by the 
> original contributors. Since clients may not even support any form of 
> downstream logout it's not like the OP can guarantee SLO anyway.
>
> I would be interested if this is a globally applicable case or just 
> user-agent specific.
>
> Sent from my iPhone
>
> On 31 Aug 2016, at 21:10, Nick Roy <nroy at internet2.edu 
> <mailto:nroy at internet2.edu>> wrote:
>
>> What if the user declines to accept cookies for the third party?
>>
>> Nick
>>
>> On 8/31/16 9:58 AM, Filip Skokan wrote:
>>> I am not aware of any issues in the regulatory part. Afterall you're 
>>> loading content of the third party but not directly accessing it. 
>>> It's the third party RP handling the logout itself
>>>
>>> Sent from my iPhone
>>>
>>> On 31 Aug 2016, at 15:38, Nick Roy via Openid-specs-ab 
>>> <openid-specs-ab at lists.openid.net 
>>> <mailto:openid-specs-ab at lists.openid.net>> wrote:
>>>
>>>> Will this be a problem in the EU re: privacy laws?
>>>>
>>>> Best,
>>>>
>>>> Nick
>>>>
>>>>
>>>> On Aug 30, 2016 7:35 PM, Michael Jones via Openid-specs-ab 
>>>> <openid-specs-ab at lists.openid.net 
>>>> <mailto:openid-specs-ab at lists.openid.net>> wrote:
>>>>
>>>>     New issue 1003: Document possible impacts of disabling
>>>>     third-party cookies on front-channel logout
>>>>     https://bitbucket.org/openid/connect/issues/1003/document-possible-impacts-of-disabling
>>>>
>>>>     Michael Jones:
>>>>
>>>>     Contributors have described that their front-channel logout
>>>>     implementations do not work when third-party cookies are
>>>>     disabled. The working group should discuss this situation and
>>>>     at a minimum, document that front-channel logout may/will not
>>>>     work with third-party cookies disabled, and describe why this
>>>>     is the case.  If it is possible to work around this situation,
>>>>     the work-arounds should also be described.
>>>>
>>>>
>>>>     _______________________________________________
>>>>     Openid-specs-ab mailing list
>>>>     Openid-specs-ab at lists.openid.net
>>>>     <mailto:Openid-specs-ab at lists.openid.net>
>>>>     http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>>
>>>>
>>>> _______________________________________________
>>>> Openid-specs-ab mailing list
>>>> Openid-specs-ab at lists.openid.net 
>>>> <mailto:Openid-specs-ab at lists.openid.net>
>>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160831/a32c6c45/attachment-0001.html>


More information about the Openid-specs-ab mailing list