[Openid-specs-ab] Spec Call Notes 9-May-19

Filip Skokan panva.ip at gmail.com
Tue May 28 08:57:30 UTC 2019 

That's what the explicit value `None` is for then :)

S pozdravem,
*Filip Skokan*


On Tue, 28 May 2019 at 10:56, nov matake <nov at matake.jp> wrote:

> oh...SAML is dead...
>
> Sent from my iPhone
>
> On May 28, 2019, at 16:35, Filip Skokan via Openid-specs-ab <
> openid-specs-ab at lists.openid.net> wrote:
>
> One additional side-effect of `SameSite=Lax` being the default that isn't
> quite that obvious
>
> The party receiving form_post responses does not get their cookies since
> the request is not a top-level redirect but a POST request from another
> Origin.
>
> Best,
> *Filip*
>
>
> On Thu, 9 May 2019 at 17:36, Filip Skokan <panva.ip at gmail.com> wrote:
>
>> Here are my notes on the new "lax" cookie sameSite value default.
>>
>>
>>>               George asked whether this might affect iframe and
>>> postMessage communication
>>>                            And whether this might affect Session
>>> Management
>>
>>
>> If cookies are set to "Lax" by default then the following will not work
>>
>>    - session management 1.0 - Session Status Change Notification - OP
>>    cookies won't be loaded resulting in error or changed events
>>    - web_message response mode - simple and relay modes with no prompts
>>    - OP cookies won't be loaded resulting in no session being loaded and hence
>>    error=login_required or similar returned
>>    - any hidden iframe prompt=none way of refreshing tokens - OP cookies
>>    won't be loaded resulting in no session being loaded and hence
>>    error=login_required or similar returned
>>    - any hidden iframe prompt=none&response_type=none way of checking
>>    for "is the user still authenticated" - OP cookies won't be loaded
>>    resulting in no session being loaded and hence error=login_required or
>>    similar returned
>>    - frontchannel logout 1.0 - relying party iframe - RP cookies won't
>>    be loaded resulting in some implementations that depend on cookies to be
>>    loaded not being able to drop the RP session
>>
>> I will be moving my OP implementation to use "None" as sameSite value for
>> OP Session Cookie as well Session Management Client State cookies the
>> moment my web framework's cookie interface allows that as value. This will
>> hopefully be ignored by browsers not implementing that value resulting in
>> the old default which is "None" implicitly and will for sure keep existing
>> behaviours for the browsers that do.
>>
>> Best,
>> *Filip Skokan*
>>
>>
>> On Thu, 9 May 2019 at 17:19, Mike Jones via Openid-specs-ab <
>> openid-specs-ab at lists.openid.net> wrote:
>>
>>> Spec Call Notes 9-May-19
>>>
>>>
>>>
>>> Mike Jones
>>>
>>> Roland Hedberg
>>>
>>> Brian Campbell
>>>
>>> Torsten Lodderstedt
>>>
>>> Bjorn Hjelm
>>>
>>> George Fletcher
>>>
>>> Tom Jones
>>>
>>>
>>>
>>> OpenID Certification
>>>
>>>               Roland created certification tests for Session,
>>> Front-Channel, and Back-Channel, which are now being tested
>>>
>>>               Filip Skokan provided a lot of early feedback on the OP
>>> tests
>>>
>>>               We now need instructions for testing so others can do so
>>>
>>>                            It seems that there will need to be some
>>> browser-specific instructions in some cases
>>>
>>>               There are RP logout tests also but they haven't been
>>> tested yet by others than Roland
>>>
>>>
>>>
>>> Authentication Failed Error Code Draft
>>>
>>>               This is issue #1029
>>>
>>>               The error code is now unmet_authentication_requirements
>>>
>>>               Torsten submitted and Mike will publish the working group
>>> draft
>>>
>>>
>>>
>>> OpenID Connect for Identity Proofing
>>>
>>>               Another new draft was published at
>>> https://openid.net/specs/openid-connect-4-identity-assurance.html
>>>
>>>               Torsten led a discussion at IIW
>>>
>>>               A lot of good feedback was received, including on
>>> requirements for other jurisdictions
>>>
>>>               It was pointed out that some proofs will require multiple
>>> documents
>>>
>>>                            Torsten is working on updated syntax for that
>>>
>>>                            See issue #1082: Support for multiple proof
>>> sources
>>>
>>>               Reviews are solicited
>>>
>>>               We agreed that Torsten should present this during EIC
>>>
>>>
>>>
>>> EIC Next Week
>>>
>>>               Roland, Torsten, Bjorn, George, and Mike will be at EIC
>>> next week
>>>
>>>
>>>
>>> Distinguishing first and third party cookies
>>>
>>>               George let us know that there's a spec that adds the
>>> same-site qualifier to cookies
>>>
>>>
>>> https://tools.ietf.org/html/draft-west-cookie-incrementalism-00
>>>
>>>                            Values are none, strict, and lax
>>>
>>>                            Also see
>>> https://web.dev/samesite-cookies-explained/
>>>
>>>                            and
>>> https://blog.chromium.org/2019/05/improving-privacy-and-security-on-web.html
>>>
>>>               Google is adding support for this to Chrome
>>>
>>>               George asked whether this might affect iframe and
>>> postMessage communication
>>>
>>>                            And whether this might affect Session
>>> Management
>>>
>>>
>>>
>>> Open Issues
>>>
>>>
>>> https://bitbucket.org/openid/connect/issues?status=new&status=open
>>>
>>>               #1083: policy_uri, tos_uri, logo_uri missing in IANA JWT
>>> claims registry
>>>
>>>                            Brian asked whether Nat really meant the JWT
>>> Claims registry or the AS Metadata registry
>>>
>>>               #1081: Need for a persistence user identifier - a PUID
>>>
>>>                            We discussed that change of keys is a change
>>> of identity for self-issued
>>>
>>>                            We discussed the ability to add a "did" claim
>>> to the ID Token when it is useful
>>>
>>>                            We discussed that the "sub" value must not
>>> change at key roll-over time
>>>
>>>
>>>
>>> Transient Subject Identifier Type
>>>
>>>               At IIW, Davide Vaghetti talked about the need for a
>>> transient subject_type value, similar to that in SAML
>>>
>>>               Mike and John encouraged him to write a specification for
>>> it
>>>
>>>
>>>
>>> Next Call
>>>
>>>               The May 13th call is cancelled due EIC
>>>
>>>               The next call is Thursday, May 23 at 7am Pacific Time
>>> _______________________________________________
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>
>> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190528/e2624270/attachment.html>

More information about the Openid-specs-ab mailing list