[Openid-specs-ab] ITP and OIDC session issues
Vittorio Bertocci
vittorio.bertocci at auth0.com
Wed Jun 6 15:53:21 UTC 2018
Hi all,
We have been having issues with renewing tokens via invisible iFrame in
our Javascript SDKs in the latest version of Safari - and yesterday's
news about ITP 2.0 seem to suggest that the new default on Apple devices
will be equivalent to disabling 3rd party cookies, which AFAIK breaks
OIDC session management... and/or start displaying dialogs warning the
user that they are being tracked at every operation.
* Did anyone else experience similar issues?
* What are the WG's thoughts about whether this calls for a revision
of how session works in OIDC?
* There is one RFC for WebKit that could provide an alternative
location for the session, detailed here
<https://github.com/whatwg/html/issues/3338>. Did anyone consider
it? Any insights?
If the issue is confirmed, that will make use of OIDC session and
related token renewal machinery unfeasible on Macs, iPhones and iPads.
And without official guidance, that will likely spur a cottage industry
of custom solutions. I hope we can come up with guidance that addresses
the problem before that happens.
Thanks in advance for your insights
V.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20180606/7661cd03/attachment.html>
More information about the Openid-specs-ab
mailing list