[Openid-specs-ab] Issue #1003: Document possible impacts of disabling third-party cookies on front-channel logout (openid/connect)

Vladimir Dzhuvinov vladimir at connect2id.com
Thu Sep 1 07:43:14 UTC 2016



On 31/08/16 23:02, Mike Jones via Openid-specs-ab wrote:
> As a practical matter, if the user has taken an explicit step to disable third party cookies in their browser, they’ve also broken a whole lot of web scenarios besides this one.  I think that our obligation is just to inform implementers and deployers of the possible consequences of this user choice.  That’s what the issue is about.
>
> If you want guaranteed logout, you have to instead go the (much heavier weight) back-channel logout specification.
Even with back-channel logout I'm not sure we can truly guarantee logout.

BTW, here is some stats regarding 3rd party cookies. The site reports
21% of visitors having them turned off. With Safari that seems to be the
default setting.

https://www.grc.com/cookies/stats.htm

The good thing is that the RP can fairly reliably detect if 3rd party
cookies are disabled, and inform the user upon OIDC login that
front-channel logout would not work (unless the RP falls back to
periodic prompt=none). One way to do this is to try the iframe check
straight after login, and if that fails, then the RP can assume that 3rd
party cookies are disabled. This or something similar could be mentioned
in the spec.

Cheers,
Vladimir

>                                                        -- Mike
>
> From: Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Nick Roy via Openid-specs-ab
> Sent: Wednesday, August 31, 2016 12:41 PM
> To: Filip Skokan <panva.ip at gmail.com>
> Cc: Michael Jones <issues-reply at bitbucket.org>; openid-specs-ab at lists.openid.net
> Subject: Re: [Openid-specs-ab] Issue #1003: Document possible impacts of disabling third-party cookies on front-channel logout (openid/connect)
>
> Isn't enabling SLO without a guarantee of universal logout dangerous?  People will walk away from browsers with an expectation that they've logged out.  I don't want to undermine things, but I worry about the security implications and the difficulty of user education in shared environments.
>
> Best,
>
> Nick
> On 8/31/16 1:28 PM, Filip Skokan wrote:
> In those cases RP logout will not be performed as reported by the original contributors. Since clients may not even support any form of downstream logout it's not like the OP can guarantee SLO anyway.
>
> I would be interested if this is a globally applicable case or just user-agent specific.
>
> Sent from my iPhone
>
> On 31 Aug 2016, at 21:10, Nick Roy <nroy at internet2.edu<mailto:nroy at internet2.edu>> wrote:
> What if the user declines to accept cookies for the third party?
>
> Nick
> On 8/31/16 9:58 AM, Filip Skokan wrote:
> I am not aware of any issues in the regulatory part. Afterall you're loading content of the third party but not directly accessing it. It's the third party RP handling the logout itself
>
> Sent from my iPhone
>
> On 31 Aug 2016, at 15:38, Nick Roy via Openid-specs-ab <openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>> wrote:
>
> Will this be a problem in the EU re: privacy laws?
>
> Best,
>
> Nick
>
> On Aug 30, 2016 7:35 PM, Michael Jones via Openid-specs-ab <openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>> wrote:
> New issue 1003: Document possible impacts of disabling third-party cookies on front-channel logout
> https://bitbucket.org/openid/connect/issues/1003/document-possible-impacts-of-disabling
>
> Michael Jones:
>
> Contributors have described that their front-channel logout implementations do not work when third-party cookies are disabled.  The working group should discuss this situation and at a minimum, document that front-channel logout may/will not work with third-party cookies disabled, and describe why this is the case.  If it is possible to work around this situation, the work-arounds should also be described.
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160901/1f65f5ca/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3711 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160901/1f65f5ca/attachment.p7s>


More information about the Openid-specs-ab mailing list