[Openid-specs-ab] Issue #1003: Document possible impacts of disabling third-party cookies on front-channel logout (openid/connect)

Mike Jones Michael.Jones at microsoft.com
Wed Aug 31 20:02:02 UTC 2016


As a practical matter, if the user has taken an explicit step to disable third party cookies in their browser, they’ve also broken a whole lot of web scenarios besides this one.  I think that our obligation is just to inform implementers and deployers of the possible consequences of this user choice.  That’s what the issue is about.

If you want guaranteed logout, you have to instead go the (much heavier weight) back-channel logout specification.

                                                       -- Mike

From: Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Nick Roy via Openid-specs-ab
Sent: Wednesday, August 31, 2016 12:41 PM
To: Filip Skokan <panva.ip at gmail.com>
Cc: Michael Jones <issues-reply at bitbucket.org>; openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] Issue #1003: Document possible impacts of disabling third-party cookies on front-channel logout (openid/connect)

Isn't enabling SLO without a guarantee of universal logout dangerous?  People will walk away from browsers with an expectation that they've logged out.  I don't want to undermine things, but I worry about the security implications and the difficulty of user education in shared environments.

Best,

Nick
On 8/31/16 1:28 PM, Filip Skokan wrote:
In those cases RP logout will not be performed as reported by the original contributors. Since clients may not even support any form of downstream logout it's not like the OP can guarantee SLO anyway.

I would be interested if this is a globally applicable case or just user-agent specific.

Sent from my iPhone

On 31 Aug 2016, at 21:10, Nick Roy <nroy at internet2.edu<mailto:nroy at internet2.edu>> wrote:
What if the user declines to accept cookies for the third party?

Nick
On 8/31/16 9:58 AM, Filip Skokan wrote:
I am not aware of any issues in the regulatory part. Afterall you're loading content of the third party but not directly accessing it. It's the third party RP handling the logout itself

Sent from my iPhone

On 31 Aug 2016, at 15:38, Nick Roy via Openid-specs-ab <openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>> wrote:

Will this be a problem in the EU re: privacy laws?

Best,

Nick

On Aug 30, 2016 7:35 PM, Michael Jones via Openid-specs-ab <openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>> wrote:
New issue 1003: Document possible impacts of disabling third-party cookies on front-channel logout
https://bitbucket.org/openid/connect/issues/1003/document-possible-impacts-of-disabling

Michael Jones:

Contributors have described that their front-channel logout implementations do not work when third-party cookies are disabled.  The working group should discuss this situation and at a minimum, document that front-channel logout may/will not work with third-party cookies disabled, and describe why this is the case.  If it is possible to work around this situation, the work-arounds should also be described.


_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-ab

_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-ab


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160831/ba551a28/attachment-0001.html>


More information about the Openid-specs-ab mailing list