[Openid-specs-ab] Front-channel logout broken by SameSite behavior

George Fletcher gffletch at aol.com
Tue Apr 14 15:39:18 UTC 2020


Where did we land on the front-channel logout issue from one of our 
recent calls? It appears the Brave browser has the SameSite behavior 
enabled by default even if Chrome doesn't. Chains of full page redirects 
will continue to work... but the UX for that is not very good and it's 
also likely for the redirect chains to be broken by the user so not all 
relying parties will get notified.

We discussed passing a value on the front-channel redirect URL though I 
believe that could have some DoS implications depending on what the 
value is that is passed.

Given that chrome has experimental UI (that can be enabled) to ask the 
user if they want to block 3rd party cookies, I don't think relying on 
flagging all cookies needed in iframes as SameSite=none is viable.

Back can work... but it adds a lot of complexity for relying parties as 
they have to maintain state.


More information about the Openid-specs-ab mailing list