[Openid-specs-ab] Planned Chrome and WebKit changes potentially impacting OpenID Connect deployments

[Mike Jones]

I wanted to bring two planned browser changes to the working group's attention for your discussion and feedback.  I believe that both of these could affect OpenID Connect (and other federated identity) deployments.


  1.  Chrome plans to treat cookies as SameSite=Lax by default if no SameSite attribute is specified. This is described at https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/AknSSyQTGYs/SSB1rTEkBgAJ.  As it says there, developers would be able to opt-into the status quo of unrestricted use by explicitly asserting SameSite=None.


  1.  WebKit/Safari plans to change cookie handling to prevent tracking.  As described at https://webkit.org/tracking-prevention-policy/#unintended-impact, this is expected to affect "Federated login using a third-party login provider".

Some questions:

  *   Are people tracking these developments and their expected impacts?
  *   Might code changes be needed to keep things working, and if so, what are they?
  *   Should we be communicating with the Chrome and WebKit developers about the needs of federated identity in advance of these proposed changes?

                                                       -- Mike

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190821/6f63b483/attachment.html>