[Openid-specs-ab] Third-Party Cookies and Front Channel Logout
Prateek Mishra
Prateek.Mishra at oracle.com
Fri Aug 26 00:56:22 UTC 2016
The OIDC Front Channel Logout draft specification uses HTTP GETs to RP URLs that clear login state.
http://openid.net/specs/openid-connect-frontchannel-1_0.html <http://openid.net/specs/openid-connect-frontchannel-1_0.html>
This typically takes the form of an OP loading a page with <iframe src="frontchannel_logout_uri”> or <img src=“front_channel_logout_uri”>
However, modern browsers allow users to “block third party cookies” and this setting means that the logout at the RP will fail (unable to remove previously
established RP cookie). Our implementation and test teams have found this to be a really confusing situation for end-users.
Have implementors had any success with alternatives or work-arounds? At a minimum we should capture this behavior in the draft specification.
Thanks,
prateek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160825/448988b8/attachment.html>
More information about the Openid-specs-ab
mailing list