[Openid-specs-ab] Issue #1003: Document possible impacts of disabling third-party cookies on front-channel logout (openid/connect)

Nick Roy nroy at internet2.edu
Wed Aug 31 20:03:16 UTC 2016



On 8/31/16 2:02 PM, Mike Jones wrote:
>
> As a practical matter, if the user has taken an explicit step to 
> disable third party cookies in their browser, they’ve also broken a 
> whole lot of web scenarios besides this one. I think that our 
> obligation is just to inform implementers and deployers of the 
> possible consequences of this user choice.  That’s what the issue is 
> about.
>
> If you want guaranteed logout, you have to instead go the (much 
> heavier weight) back-channel logout specification.
>

Thanks Mike, understood.

Nick

>               -- Mike
>
> *From:*Openid-specs-ab 
> [mailto:openid-specs-ab-bounces at lists.openid.net] *On Behalf Of *Nick 
> Roy via Openid-specs-ab
> *Sent:* Wednesday, August 31, 2016 12:41 PM
> *To:* Filip Skokan <panva.ip at gmail.com>
> *Cc:* Michael Jones <issues-reply at bitbucket.org>; 
> openid-specs-ab at lists.openid.net
> *Subject:* Re: [Openid-specs-ab] Issue #1003: Document possible 
> impacts of disabling third-party cookies on front-channel logout 
> (openid/connect)
>
> Isn't enabling SLO without a guarantee of universal logout dangerous?  
> People will walk away from browsers with an expectation that they've 
> logged out.  I don't want to undermine things, but I worry about the 
> security implications and the difficulty of user education in shared 
> environments.
>
> Best,
>
> Nick
>
> On 8/31/16 1:28 PM, Filip Skokan wrote:
>
>     In those cases RP logout will not be performed as reported by the
>     original contributors. Since clients may not even support any form
>     of downstream logout it's not like the OP can guarantee SLO anyway.
>
>     I would be interested if this is a globally applicable case or
>     just user-agent specific.
>
>     Sent from my iPhone
>
>
>     On 31 Aug 2016, at 21:10, Nick Roy <nroy at internet2.edu
>     <mailto:nroy at internet2.edu>> wrote:
>
>         What if the user declines to accept cookies for the third party?
>
>         Nick
>
>         On 8/31/16 9:58 AM, Filip Skokan wrote:
>
>             I am not aware of any issues in the regulatory part.
>             Afterall you're loading content of the third party but not
>             directly accessing it. It's the third party RP handling
>             the logout itself
>
>             Sent from my iPhone
>
>
>             On 31 Aug 2016, at 15:38, Nick Roy via Openid-specs-ab
>             <openid-specs-ab at lists.openid.net
>             <mailto:openid-specs-ab at lists.openid.net>> wrote:
>
>                 Will this be a problem in the EU re: privacy laws?
>
>                 Best,
>
>                 Nick
>
>                 On Aug 30, 2016 7:35 PM, Michael Jones via
>                 Openid-specs-ab <openid-specs-ab at lists.openid.net
>                 <mailto:openid-specs-ab at lists.openid.net>> wrote:
>
>                     New issue 1003: Document possible impacts of
>                     disabling third-party cookies on front-channel logout
>                     https://bitbucket.org/openid/connect/issues/1003/document-possible-impacts-of-disabling
>
>                     Michael Jones:
>
>                     Contributors have described that their
>                     front-channel logout implementations do not work
>                     when third-party cookies are disabled.  The
>                     working group should discuss this situation and at
>                     a minimum, document that front-channel logout
>                     may/will not work with third-party cookies
>                     disabled, and describe why this is the case.  If
>                     it is possible to work around this situation, the
>                     work-arounds should also be described.
>
>
>                     _______________________________________________
>                     Openid-specs-ab mailing list
>                     Openid-specs-ab at lists.openid.net
>                     <mailto:Openid-specs-ab at lists.openid.net>
>                     http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>                 _______________________________________________
>                 Openid-specs-ab mailing list
>                 Openid-specs-ab at lists.openid.net
>                 <mailto:Openid-specs-ab at lists.openid.net>
>                 http://lists.openid.net/mailman/listinfo/openid-specs-ab
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160831/2531a5a3/attachment.html>


More information about the Openid-specs-ab mailing list