[Openid-specs-ab] Spec Call Notes 9-May-19
Filip Skokan
panva.ip at gmail.com
Tue May 28 07:35:44 UTC 2019
One additional side-effect of `SameSite=Lax` being the default that isn't
quite that obvious
The party receiving form_post responses does not get their cookies since
the request is not a top-level redirect but a POST request from another
Origin.
Best,
*Filip*
On Thu, 9 May 2019 at 17:36, Filip Skokan <panva.ip at gmail.com> wrote:
> Here are my notes on the new "lax" cookie sameSite value default.
>
>
>> George asked whether this might affect iframe and
>> postMessage communication
>> And whether this might affect Session
>> Management
>
>
> If cookies are set to "Lax" by default then the following will not work
>
> - session management 1.0 - Session Status Change Notification - OP
> cookies won't be loaded resulting in error or changed events
> - web_message response mode - simple and relay modes with no prompts -
> OP cookies won't be loaded resulting in no session being loaded and hence
> error=login_required or similar returned
> - any hidden iframe prompt=none way of refreshing tokens - OP cookies
> won't be loaded resulting in no session being loaded and hence
> error=login_required or similar returned
> - any hidden iframe prompt=none&response_type=none way of checking for
> "is the user still authenticated" - OP cookies won't be loaded resulting in
> no session being loaded and hence error=login_required or similar returned
> - frontchannel logout 1.0 - relying party iframe - RP cookies won't be
> loaded resulting in some implementations that depend on cookies to be
> loaded not being able to drop the RP session
>
> I will be moving my OP implementation to use "None" as sameSite value for
> OP Session Cookie as well Session Management Client State cookies the
> moment my web framework's cookie interface allows that as value. This will
> hopefully be ignored by browsers not implementing that value resulting in
> the old default which is "None" implicitly and will for sure keep existing
> behaviours for the browsers that do.
>
> Best,
> *Filip Skokan*
>
>
> On Thu, 9 May 2019 at 17:19, Mike Jones via Openid-specs-ab <
> openid-specs-ab at lists.openid.net> wrote:
>
>> Spec Call Notes 9-May-19
>>
>>
>>
>> Mike Jones
>>
>> Roland Hedberg
>>
>> Brian Campbell
>>
>> Torsten Lodderstedt
>>
>> Bjorn Hjelm
>>
>> George Fletcher
>>
>> Tom Jones
>>
>>
>>
>> OpenID Certification
>>
>> Roland created certification tests for Session,
>> Front-Channel, and Back-Channel, which are now being tested
>>
>> Filip Skokan provided a lot of early feedback on the OP
>> tests
>>
>> We now need instructions for testing so others can do so
>>
>> It seems that there will need to be some
>> browser-specific instructions in some cases
>>
>> There are RP logout tests also but they haven't been tested
>> yet by others than Roland
>>
>>
>>
>> Authentication Failed Error Code Draft
>>
>> This is issue #1029
>>
>> The error code is now unmet_authentication_requirements
>>
>> Torsten submitted and Mike will publish the working group
>> draft
>>
>>
>>
>> OpenID Connect for Identity Proofing
>>
>> Another new draft was published at
>> https://openid.net/specs/openid-connect-4-identity-assurance.html
>>
>> Torsten led a discussion at IIW
>>
>> A lot of good feedback was received, including on
>> requirements for other jurisdictions
>>
>> It was pointed out that some proofs will require multiple
>> documents
>>
>> Torsten is working on updated syntax for that
>>
>> See issue #1082: Support for multiple proof
>> sources
>>
>> Reviews are solicited
>>
>> We agreed that Torsten should present this during EIC
>>
>>
>>
>> EIC Next Week
>>
>> Roland, Torsten, Bjorn, George, and Mike will be at EIC
>> next week
>>
>>
>>
>> Distinguishing first and third party cookies
>>
>> George let us know that there's a spec that adds the
>> same-site qualifier to cookies
>>
>>
>> https://tools.ietf.org/html/draft-west-cookie-incrementalism-00
>>
>> Values are none, strict, and lax
>>
>> Also see
>> https://web.dev/samesite-cookies-explained/
>>
>> and
>> https://blog.chromium.org/2019/05/improving-privacy-and-security-on-web.html
>>
>> Google is adding support for this to Chrome
>>
>> George asked whether this might affect iframe and
>> postMessage communication
>>
>> And whether this might affect Session
>> Management
>>
>>
>>
>> Open Issues
>>
>>
>> https://bitbucket.org/openid/connect/issues?status=new&status=open
>>
>> #1083: policy_uri, tos_uri, logo_uri missing in IANA JWT
>> claims registry
>>
>> Brian asked whether Nat really meant the JWT
>> Claims registry or the AS Metadata registry
>>
>> #1081: Need for a persistence user identifier - a PUID
>>
>> We discussed that change of keys is a change
>> of identity for self-issued
>>
>> We discussed the ability to add a "did" claim
>> to the ID Token when it is useful
>>
>> We discussed that the "sub" value must not
>> change at key roll-over time
>>
>>
>>
>> Transient Subject Identifier Type
>>
>> At IIW, Davide Vaghetti talked about the need for a
>> transient subject_type value, similar to that in SAML
>>
>> Mike and John encouraged him to write a specification for it
>>
>>
>>
>> Next Call
>>
>> The May 13th call is cancelled due EIC
>>
>> The next call is Thursday, May 23 at 7am Pacific Time
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190528/685a489d/attachment.html>
More information about the Openid-specs-ab
mailing list