[Openid-specs-ab] Spec Call Notes 9-May-19

Hans Zandbelt hans.zandbelt at zmartzone.eu
Fri May 31 14:05:59 UTC 2019 

+1, I've found this to be a problem for OIDC web clients that (as the spec
states) "cryptographically binding the value of this parameter with a
browser cookie." and requires special handling/workarounds as I found in my
implementation

Hans.

On Fri, May 31, 2019 at 4:00 PM George Fletcher via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:

> Thanks for the implementation testing and notes! --George
>
> On 5/28/19 3:35 AM, Filip Skokan via Openid-specs-ab wrote:
>
> One additional side-effect of `SameSite=Lax` being the default that isn't
> quite that obvious
>
> The party receiving form_post responses does not get their cookies since
> the request is not a top-level redirect but a POST request from another
> Origin.
>
> Best,
> *Filip*
>
>
> On Thu, 9 May 2019 at 17:36, Filip Skokan <panva.ip at gmail.com> wrote:
>
>> Here are my notes on the new "lax" cookie sameSite value default.
>> ??
>>
>>> ?? ?? ?? ?? ?? ?? ?? George asked whether this might affect iframe and
>>> postMessage communication
>>> ???????????????????????????????????????????????????? And whether this
>>> might affect Session Management
>>
>>
>> If cookies are set to "Lax" by default then the following will not work
>>
>>    - session management 1.0 -??Session Status Change Notification - OP
>>    cookies won't be loaded resulting in error or changed events
>>    - web_message response mode - simple and relay modes with no prompts
>>    - OP cookies won't be loaded resulting in no session being loaded and hence
>>    error=login_required or similar returned
>>    - any hidden iframe prompt=none way of refreshing tokens??- OP
>>    cookies won't be loaded resulting in no session being loaded and hence
>>    error=login_required or similar returned
>>    - any hidden iframe prompt=none&response_type=none way of checking
>>    for "is the user still authenticated"??- OP cookies won't be loaded
>>    resulting in no session being loaded and hence error=login_required or
>>    similar returned
>>    - frontchannel logout 1.0 - relying party iframe - RP cookies won't
>>    be loaded resulting in some implementations that depend on cookies to be
>>    loaded not being able to drop the RP session
>>
>> I will be moving my OP implementation to use "None" as sameSite value for
>> OP Session Cookie as well Session Management Client State cookies the
>> moment my web framework's cookie interface allows that as value. This will
>> hopefully be ignored by browsers not implementing that value resulting in
>> the old default which is "None" implicitly and will for sure keep existing
>> behaviours for the browsers that do.
>>
>> Best,
>> *Filip Skokan*
>>
>>
>> On Thu, 9 May 2019 at 17:19, Mike Jones via Openid-specs-ab <
>> openid-specs-ab at lists.openid.net> wrote:
>>
>>> Spec Call Notes 9-May-19
>>>
>>> ??
>>>
>>> Mike Jones
>>>
>>> Roland Hedberg
>>>
>>> Brian Campbell
>>>
>>> Torsten Lodderstedt
>>>
>>> Bjorn Hjelm
>>>
>>> George Fletcher
>>>
>>> Tom Jones
>>>
>>> ??
>>>
>>> OpenID Certification
>>>
>>> ?????????????????????????? Roland created certification tests for
>>> Session, Front-Channel, and Back-Channel, which are now being tested
>>>
>>> ?????????????????????????? Filip Skokan provided a lot of early feedback
>>> on the OP tests
>>>
>>> ?????????????????????????? We now need instructions for testing so
>>> others can do so
>>>
>>> ???????????????????????????????????????????????????? It seems that there
>>> will need to be some browser-specific instructions in some cases
>>>
>>> ?????????????????????????? There are RP logout tests also but they
>>> haven't been tested yet by others than Roland
>>>
>>> ??
>>>
>>> Authentication Failed Error Code Draft
>>>
>>> ?????????????????????????? This is issue #1029
>>>
>>> ?????????????????????????? The error code is now
>>> unmet_authentication_requirements
>>>
>>> ?????????????????????????? Torsten submitted and Mike will publish the
>>> working group draft
>>>
>>> ??
>>>
>>> OpenID Connect for Identity Proofing
>>>
>>> ?????????????????????????? Another new draft was published at
>>> https://openid.net/specs/openid-connect-4-identity-assurance.html
>>>
>>> ?????????????????????????? Torsten led a discussion at IIW
>>>
>>> ?????????????????????????? A lot of good feedback was received,
>>> including on requirements for other jurisdictions
>>>
>>> ?????????????????????????? It was pointed out that some proofs will
>>> require multiple documents
>>>
>>> ???????????????????????????????????????????????????? Torsten is working
>>> on updated syntax for that
>>>
>>> ???????????????????????????????????????????????????? See issue #1082:
>>> Support for multiple proof sources
>>>
>>> ?????????????????????????? Reviews are solicited
>>>
>>> ?????????????????????????? We agreed that Torsten should present this
>>> during EIC
>>>
>>> ??
>>>
>>> EIC Next Week
>>>
>>> ?????????????????????????? Roland, Torsten, Bjorn, George, and Mike will
>>> be at EIC next week
>>>
>>> ??
>>>
>>> Distinguishing first and third party cookies
>>>
>>> ?????????????????????????? George let us know that there's a spec that
>>> adds the same-site qualifier to cookies
>>>
>>> ????????????????????????????????????????????????????
>>> https://tools.ietf.org/html/draft-west-cookie-incrementalism-00
>>>
>>> ???????????????????????????????????????????????????? Values are none,
>>> strict, and lax
>>>
>>> ???????????????????????????????????????????????????? Also see
>>> https://web.dev/samesite-cookies-explained/
>>>
>>> ???????????????????????????????????????????????????? and
>>> https://blog.chromium.org/2019/05/improving-privacy-and-security-on-web.html
>>>
>>> ?????????????????????????? Google is adding support for this to Chrome
>>>
>>> ?????????????????????????? George asked whether this might affect iframe
>>> and postMessage communication
>>>
>>> ???????????????????????????????????????????????????? And whether this
>>> might affect Session Management
>>>
>>> ??
>>>
>>> Open Issues
>>>
>>> ??????????????????????????
>>> https://bitbucket.org/openid/connect/issues?status=new&status=open
>>>
>>> ?????????????????????????? #1083: policy_uri, tos_uri, logo_uri missing
>>> in IANA JWT claims registry
>>>
>>> ???????????????????????????????????????????????????? Brian asked whether
>>> Nat really meant the JWT Claims registry or the AS Metadata registry
>>>
>>> ?????????????????????????? #1081: Need for a persistence user identifier
>>> - a PUID
>>>
>>> ???????????????????????????????????????????????????? We discussed that
>>> change of keys is a change of identity for self-issued
>>>
>>> ???????????????????????????????????????????????????? We discussed the
>>> ability to add a "did" claim to the ID Token when it is useful
>>>
>>> ???????????????????????????????????????????????????? We discussed that
>>> the "sub" value must not change at key roll-over time
>>>
>>> ??
>>>
>>> Transient Subject Identifier Type
>>>
>>> ?????????????????????????? At IIW, Davide Vaghetti talked about the need
>>> for a transient subject_type value, similar to that in SAML
>>>
>>> ?????????????????????????? Mike and John encouraged him to write a
>>> specification for it
>>>
>>> ??
>>>
>>> Next Call
>>>
>>> ?????????????????????????? The May 13th call is cancelled due EIC
>>>
>>> ?????????????????????????? The next call is Thursday, May 23 at 7am
>>> Pacific Time
>>> _______________________________________________
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>
>>
> _______________________________________________
> Openid-specs-ab mailing listOpenid-specs-ab at lists.openid.nethttp://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>


-- 
hans.zandbelt at zmartzone.eu
ZmartZone IAM - www.zmartzone.eu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190531/fd6754ef/attachment.html>

More information about the Openid-specs-ab mailing list