[Openid-specs-ab] Spec Call Notes 9-May-19

George Fletcher gffletch at aol.com
Fri May 31 14:00:32 UTC 2019 

Thanks for the implementation testing and notes! --George

On 5/28/19 3:35 AM, Filip Skokan via Openid-specs-ab wrote:
> One additional side-effect of `SameSite=Lax` being the default that 
> isn't quite that obvious
>
> The party receiving form_post responses does not get their cookies 
> since the request is not a top-level redirect but a POST request from 
> another Origin.
>
> Best,
> *Filip*
>
>
> On Thu, 9 May 2019 at 17:36, Filip Skokan <panva.ip at gmail.com 
> <mailto:panva.ip at gmail.com>> wrote:
>
>     Here are my notes on the new "lax" cookie sameSite value default.
>
>         ?? ?? ?? ?? ?? ?? ?? George asked whether this might affect iframe
>         and postMessage communication
>         ???????????????????????????????????????????????????? And whether this might affect
>         Session Management
>
>
>     If cookies are set to "Lax" by default then the following will not
>     work
>
>       * session management 1.0 -??Session Status Change Notification -
>         OP cookies won't be loaded resulting in error or changed events
>       * web_message response mode - simple and relay modes with no
>         prompts - OP cookies won't be loaded resulting in no session
>         being loaded and hence error=login_required or similar returned
>       * any hidden iframe prompt=none way of refreshing tokens??- OP
>         cookies won't be loaded resulting in no session being loaded
>         and hence error=login_required or similar returned
>       * any hidden iframe prompt=none&response_type=none way of
>         checking for "is the user still authenticated"??- OP cookies
>         won't be loaded resulting in no session being loaded and hence
>         error=login_required or similar returned
>       * frontchannel logout 1.0 - relying party iframe - RP cookies
>         won't be loaded resulting in some implementations that depend
>         on cookies to be loaded not being able to drop the RP session
>
>     I will be moving my OP implementation to use "None" as sameSite
>     value for OP Session Cookie as well Session Management Client
>     State cookies the moment my web framework's cookie interface
>     allows that as value. This will hopefully be ignored by browsers
>     not implementing that value resulting in the old default which is
>     "None" implicitly and will for sure keep existing behaviours for
>     the browsers that do.
>
>     Best,
>     *Filip Skokan*
>
>
>     On Thu, 9 May 2019 at 17:19, Mike Jones via Openid-specs-ab
>     <openid-specs-ab at lists.openid.net
>     <mailto:openid-specs-ab at lists.openid.net>> wrote:
>
>         Spec Call Notes 9-May-19
>
>         Mike Jones
>
>         Roland Hedberg
>
>         Brian Campbell
>
>         Torsten Lodderstedt
>
>         Bjorn Hjelm
>
>         George Fletcher
>
>         Tom Jones
>
>         OpenID Certification
>
>         ?????????????????????????? Roland created certification tests for Session,
>         Front-Channel, and Back-Channel, which are now being tested
>
>         ?????????????????????????? Filip Skokan provided a lot of early feedback on
>         the OP tests
>
>         ?????????????????????????? We now need instructions for testing so others
>         can do so
>
>         ???????????????????????????????????????????????????? It seems that there will need to be
>         some browser-specific instructions in some cases
>
>         ?????????????????????????? There are RP logout tests also but they haven't
>         been tested yet by others than Roland
>
>         Authentication Failed Error Code Draft
>
>         ?????????????????????????? This is issue #1029
>
>         ?????????????????????????? The error code is now
>         unmet_authentication_requirements
>
>         ?????????????????????????? Torsten submitted and Mike will publish the
>         working group draft
>
>         OpenID Connect for Identity Proofing
>
>         ?????????????????????????? Another new draft was published at
>         https://openid.net/specs/openid-connect-4-identity-assurance.html
>
>         ?????????????????????????? Torsten led a discussion at IIW
>
>         ?????????????????????????? A lot of good feedback was received, including
>         on requirements for other jurisdictions
>
>         ?????????????????????????? It was pointed out that some proofs will require
>         multiple documents
>
>         Torsten is working on updated syntax for that
>
>         ???????????????????????????????????????????????????? See issue #1082: Support for
>         multiple proof sources
>
>         ?????????????????????????? Reviews are solicited
>
>         ?????????????????????????? We agreed that Torsten should present this
>         during EIC
>
>         EIC Next Week
>
>         ?????????????????????????? Roland, Torsten, Bjorn, George, and Mike will be
>         at EIC next week
>
>         Distinguishing first and third party cookies
>
>         ?????????????????????????? George let us know that there's a spec that adds
>         the same-site qualifier to cookies
>
>         https://tools.ietf.org/html/draft-west-cookie-incrementalism-00
>
>         ???????????????????????????????????????????????????? Values are none, strict, and lax
>
>         ???????????????????????????????????????????????????? Also see
>         https://web.dev/samesite-cookies-explained/
>
>         ???????????????????????????????????????????????????? and
>         https://blog.chromium.org/2019/05/improving-privacy-and-security-on-web.html
>
>         ?????????????????????????? Google is adding support for this to Chrome
>
>         ?????????????????????????? George asked whether this might affect iframe
>         and postMessage communication
>
>         ???????????????????????????????????????????????????? And whether this might affect
>         Session Management
>
>         Open Issues
>
>         https://bitbucket.org/openid/connect/issues?status=new&status=open
>
>         ?????????????????????????? #1083: policy_uri, tos_uri, logo_uri missing in
>         IANA JWT claims registry
>
>         ???????????????????????????????????????????????????? Brian asked whether Nat really
>         meant the JWT Claims registry or the AS Metadata registry
>
>         ?????????????????????????? #1081: Need for a persistence user identifier -
>         a PUID
>
>         ???????????????????????????????????????????????????? We discussed that change of keys is
>         a change of identity for self-issued
>
>         ???????????????????????????????????????????????????? We discussed the ability to add a
>         "did" claim to the ID Token when it is useful
>
>         ???????????????????????????????????????????????????? We discussed that the "sub" value
>         must not change at key roll-over time
>
>         Transient Subject Identifier Type
>
>         ?????????????????????????? At IIW, Davide Vaghetti talked about the need
>         for a transient subject_type value, similar to that in SAML
>
>         ?????????????????????????? Mike and John encouraged him to write a
>         specification for it
>
>         Next Call
>
>         ?????????????????????????? The May 13th call is cancelled due EIC
>
>         ?????????????????????????? The next call is Thursday, May 23 at 7am Pacific
>         Time
>
>         _______________________________________________
>         Openid-specs-ab mailing list
>         Openid-specs-ab at lists.openid.net
>         <mailto:Openid-specs-ab at lists.openid.net>
>         http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190531/445759ff/attachment.html>

More information about the Openid-specs-ab mailing list