[Openid-specs-ab] Issue #1003: Document possible impacts of disabling third-party cookies on front-channel logout (openid/connect)
Nick Roy
nroy at internet2.edu
Wed Aug 31 20:03:16 UTC 2016
On 8/31/16 2:02 PM, Mike Jones wrote:
>
> As a practical matter, if the user has taken an explicit step to
> disable third party cookies in their browser, they’ve also broken a
> whole lot of web scenarios besides this one. I think that our
> obligation is just to inform implementers and deployers of the
> possible consequences of this user choice. That’s what the issue is
> about.
>
> If you want guaranteed logout, you have to instead go the (much
> heavier weight) back-channel logout specification.
>
Thanks Mike, understood.
Nick
> -- Mike
>
> *From:*Openid-specs-ab
> [mailto:openid-specs-ab-bounces at lists.openid.net] *On Behalf Of *Nick
> Roy via Openid-specs-ab
> *Sent:* Wednesday, August 31, 2016 12:41 PM
> *To:* Filip Skokan <panva.ip at gmail.com>
> *Cc:* Michael Jones <issues-reply at bitbucket.org>;
> openid-specs-ab at lists.openid.net
> *Subject:* Re: [Openid-specs-ab] Issue #1003: Document possible
> impacts of disabling third-party cookies on front-channel logout
> (openid/connect)
>
> Isn't enabling SLO without a guarantee of universal logout dangerous?
> People will walk away from browsers with an expectation that they've
> logged out. I don't want to undermine things, but I worry about the
> security implications and the difficulty of user education in shared
> environments.
>
> Best,
>
> Nick
>
> On 8/31/16 1:28 PM, Filip Skokan wrote:
>
> In those cases RP logout will not be performed as reported by the
> original contributors. Since clients may not even support any form
> of downstream logout it's not like the OP can guarantee SLO anyway.
>
> I would be interested if this is a globally applicable case or
> just user-agent specific.
>
> Sent from my iPhone
>
>
> On 31 Aug 2016, at 21:10, Nick Roy <nroy at internet2.edu
> <mailto:nroy at internet2.edu>> wrote:
>
> What if the user declines to accept cookies for the third party?
>
> Nick
>
> On 8/31/16 9:58 AM, Filip Skokan wrote:
>
> I am not aware of any issues in the regulatory part.
> Afterall you're loading content of the third party but not
> directly accessing it. It's the third party RP handling
> the logout itself
>
> Sent from my iPhone
>
>
> On 31 Aug 2016, at 15:38, Nick Roy via Openid-specs-ab
> <openid-specs-ab at lists.openid.net
> <mailto:openid-specs-ab at lists.openid.net>> wrote:
>
> Will this be a problem in the EU re: privacy laws?
>
> Best,
>
> Nick
>
> On Aug 30, 2016 7:35 PM, Michael Jones via
> Openid-specs-ab <openid-specs-ab at lists.openid.net
> <mailto:openid-specs-ab at lists.openid.net>> wrote:
>
> New issue 1003: Document possible impacts of
> disabling third-party cookies on front-channel logout
> https://bitbucket.org/openid/connect/issues/1003/document-possible-impacts-of-disabling
>
> Michael Jones:
>
> Contributors have described that their
> front-channel logout implementations do not work
> when third-party cookies are disabled. The
> working group should discuss this situation and at
> a minimum, document that front-channel logout
> may/will not work with third-party cookies
> disabled, and describe why this is the case. If
> it is possible to work around this situation, the
> work-arounds should also be described.
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> <mailto:Openid-specs-ab at lists.openid.net>
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> <mailto:Openid-specs-ab at lists.openid.net>
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160831/2531a5a3/attachment.html>
More information about the Openid-specs-ab
mailing list