[Openid-specs-ab] Spec Call Notes 9-May-19

matake, nov nov at matake.jp
Tue May 28 09:00:28 UTC 2019 

yeah, every legacy SAML SPs needs some level of development... :p

2019年5月28日(火) 17:57 Filip Skokan <panva.ip at gmail.com>:

> That's what the explicit value `None` is for then :)
>
> S pozdravem,
> *Filip Skokan*
>
>
> On Tue, 28 May 2019 at 10:56, nov matake <nov at matake.jp> wrote:
>
>> oh...SAML is dead...
>>
>> Sent from my iPhone
>>
>> On May 28, 2019, at 16:35, Filip Skokan via Openid-specs-ab <
>> openid-specs-ab at lists.openid.net> wrote:
>>
>> One additional side-effect of `SameSite=Lax` being the default that isn't
>> quite that obvious
>>
>> The party receiving form_post responses does not get their cookies since
>> the request is not a top-level redirect but a POST request from another
>> Origin.
>>
>> Best,
>> *Filip*
>>
>>
>> On Thu, 9 May 2019 at 17:36, Filip Skokan <panva.ip at gmail.com> wrote:
>>
>>> Here are my notes on the new "lax" cookie sameSite value default.
>>>
>>>
>>>>               George asked whether this might affect iframe and
>>>> postMessage communication
>>>>                            And whether this might affect Session
>>>> Management
>>>
>>>
>>> If cookies are set to "Lax" by default then the following will not work
>>>
>>>    - session management 1.0 - Session Status Change Notification - OP
>>>    cookies won't be loaded resulting in error or changed events
>>>    - web_message response mode - simple and relay modes with no prompts
>>>    - OP cookies won't be loaded resulting in no session being loaded and hence
>>>    error=login_required or similar returned
>>>    - any hidden iframe prompt=none way of refreshing tokens - OP
>>>    cookies won't be loaded resulting in no session being loaded and hence
>>>    error=login_required or similar returned
>>>    - any hidden iframe prompt=none&response_type=none way of checking
>>>    for "is the user still authenticated" - OP cookies won't be loaded
>>>    resulting in no session being loaded and hence error=login_required or
>>>    similar returned
>>>    - frontchannel logout 1.0 - relying party iframe - RP cookies won't
>>>    be loaded resulting in some implementations that depend on cookies to be
>>>    loaded not being able to drop the RP session
>>>
>>> I will be moving my OP implementation to use "None" as sameSite value
>>> for OP Session Cookie as well Session Management Client State cookies the
>>> moment my web framework's cookie interface allows that as value. This will
>>> hopefully be ignored by browsers not implementing that value resulting in
>>> the old default which is "None" implicitly and will for sure keep existing
>>> behaviours for the browsers that do.
>>>
>>> Best,
>>> *Filip Skokan*
>>>
>>>
>>> On Thu, 9 May 2019 at 17:19, Mike Jones via Openid-specs-ab <
>>> openid-specs-ab at lists.openid.net> wrote:
>>>
>>>> Spec Call Notes 9-May-19
>>>>
>>>>
>>>>
>>>> Mike Jones
>>>>
>>>> Roland Hedberg
>>>>
>>>> Brian Campbell
>>>>
>>>> Torsten Lodderstedt
>>>>
>>>> Bjorn Hjelm
>>>>
>>>> George Fletcher
>>>>
>>>> Tom Jones
>>>>
>>>>
>>>>
>>>> OpenID Certification
>>>>
>>>>               Roland created certification tests for Session,
>>>> Front-Channel, and Back-Channel, which are now being tested
>>>>
>>>>               Filip Skokan provided a lot of early feedback on the OP
>>>> tests
>>>>
>>>>               We now need instructions for testing so others can do so
>>>>
>>>>                            It seems that there will need to be some
>>>> browser-specific instructions in some cases
>>>>
>>>>               There are RP logout tests also but they haven't been
>>>> tested yet by others than Roland
>>>>
>>>>
>>>>
>>>> Authentication Failed Error Code Draft
>>>>
>>>>               This is issue #1029
>>>>
>>>>               The error code is now unmet_authentication_requirements
>>>>
>>>>               Torsten submitted and Mike will publish the working group
>>>> draft
>>>>
>>>>
>>>>
>>>> OpenID Connect for Identity Proofing
>>>>
>>>>               Another new draft was published at
>>>> https://openid.net/specs/openid-connect-4-identity-assurance.html
>>>>
>>>>               Torsten led a discussion at IIW
>>>>
>>>>               A lot of good feedback was received, including on
>>>> requirements for other jurisdictions
>>>>
>>>>               It was pointed out that some proofs will require multiple
>>>> documents
>>>>
>>>>                            Torsten is working on updated syntax for that
>>>>
>>>>                            See issue #1082: Support for multiple proof
>>>> sources
>>>>
>>>>               Reviews are solicited
>>>>
>>>>               We agreed that Torsten should present this during EIC
>>>>
>>>>
>>>>
>>>> EIC Next Week
>>>>
>>>>               Roland, Torsten, Bjorn, George, and Mike will be at EIC
>>>> next week
>>>>
>>>>
>>>>
>>>> Distinguishing first and third party cookies
>>>>
>>>>               George let us know that there's a spec that adds the
>>>> same-site qualifier to cookies
>>>>
>>>>
>>>> https://tools.ietf.org/html/draft-west-cookie-incrementalism-00
>>>>
>>>>                            Values are none, strict, and lax
>>>>
>>>>                            Also see
>>>> https://web.dev/samesite-cookies-explained/
>>>>
>>>>                            and
>>>> https://blog.chromium.org/2019/05/improving-privacy-and-security-on-web.html
>>>>
>>>>               Google is adding support for this to Chrome
>>>>
>>>>               George asked whether this might affect iframe and
>>>> postMessage communication
>>>>
>>>>                            And whether this might affect Session
>>>> Management
>>>>
>>>>
>>>>
>>>> Open Issues
>>>>
>>>>
>>>> https://bitbucket.org/openid/connect/issues?status=new&status=open
>>>>
>>>>               #1083: policy_uri, tos_uri, logo_uri missing in IANA JWT
>>>> claims registry
>>>>
>>>>                            Brian asked whether Nat really meant the JWT
>>>> Claims registry or the AS Metadata registry
>>>>
>>>>               #1081: Need for a persistence user identifier - a PUID
>>>>
>>>>                            We discussed that change of keys is a change
>>>> of identity for self-issued
>>>>
>>>>                            We discussed the ability to add a "did"
>>>> claim to the ID Token when it is useful
>>>>
>>>>                            We discussed that the "sub" value must not
>>>> change at key roll-over time
>>>>
>>>>
>>>>
>>>> Transient Subject Identifier Type
>>>>
>>>>               At IIW, Davide Vaghetti talked about the need for a
>>>> transient subject_type value, similar to that in SAML
>>>>
>>>>               Mike and John encouraged him to write a specification for
>>>> it
>>>>
>>>>
>>>>
>>>> Next Call
>>>>
>>>>               The May 13th call is cancelled due EIC
>>>>
>>>>               The next call is Thursday, May 23 at 7am Pacific Time
>>>> _______________________________________________
>>>> Openid-specs-ab mailing list
>>>> Openid-specs-ab at lists.openid.net
>>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>>
>>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190528/62e29e4f/attachment.html>

More information about the Openid-specs-ab mailing list