[Openid-specs-ab] 3rd party and SameSite cookies (was Browser Interactions STC - Meeting Notes - 2021-05-05)

Fri Apr 29 04:32:29 UTC 2022

Rowan, friendly ping?

Any updates on this?

I ran into George today who asked me (again) if we can be more clear about
which specific cookies are expected to be blocked.

Sam

On Mon, Feb 28, 2022, 3:51 PM Sam Goto <goto at google.com> wrote:

> Hey Brian,
>
>    Apologies for the delay, I know that this is an important question that
> we haven't been able to answer affirmatively/appropriately, so bringing in
> more folks here which would know best (apologies for the delay, a lot of
> moving parts here on my side).
>
> On Fri, May 7, 2021 at 2:37 PM Brian Campbell <bcampbell at pingidentity.com>
> wrote:
>
>> My apologies for joining this call late and in the middle of discussions
>> on a topic that I'm hoping to reconcile understanding on. I said I'd send a
>> message seeking clarification on that topic. So here is that message. But
>> I'm struggling to articulate it so please bear with me.
>>
>> In identity protocols, a cross-site navigation resulting in a POST
>> request is typically happens by the first site returning an HTML page that
>> has a form that is auto-submitted via javascript to the second site. That's
>> how SAML Post binding works. And so does the OIDC/OAuth form post
>> response mode
>> <https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html>.
>>
>> (As best I understand it anyway) a previously set cookie with
>> SameSite=None will be sent by the browser on such a top-level cross-site
>> POST request. Some folks have suggested that that will change with 3rd
>> party cookies going away and that even a SameSite=None cookie will no
>> longer be sent in that situation. But in my mental model of this stuff, the
>> situation will be unchanged by 3rd party cookies going away - it's a
>> cross-site request but because it is a top-level navigation the cookies are
>> 1st party. SameSite enforcement is in place so SameSite=None cookies will
>> be sent. But it's not 3rd party so is not impacted by disappearance or
>> partitioning of 3rd party cookies.
>>
>> Anyway, that's what I'm hoping Sam can provide clarification on. Mostly
>> for the benefit of my own understanding but also for the benefit of the
>> group here as recent discussions have suggested that folks have divergent
>> understanding and expectations of things.
>>
>> That behaviour changing would be problematic, for example and as others
>> have pointed out, because OIDC RPs receiving an ID token via the form post
>> response mode need the 'nonce cookie
>> <https://openid.net/specs/openid-connect-core-1_0.html#NonceNotes>'
>> value (which ties the ID token to the browser the SSO flow was initiated
>> on) at that point in validating the token. Maybe further confusing things
>> is that at least in Chrome there was a temporary(?) exception made for the
>> nonce cookie case with the rollout of the SameSite default change to Lax -
>> the "Lax + POST mitigation" section at
>> https://www.chromium.org/updates/same-site/faq and it looks like there's
>> an attempt to capture that in the coming update to RFC 6265
>> https://github.com/httpwg/http-extensions/pull/1435/files
>>
>>
>>
>
> I am probably the Sam in question, but I'd prefer to get some more
> authoritative answer from Rowan.
>
> Rowan, can you clarify how you'd expect SameSite=None to behave going
> forward?
>
>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Wed, May 5, 2021 at 12:49 PM Tim Cappalli via Openid-specs-ab <
>> openid-specs-ab at lists.openid.net> wrote:
>>
>>> Hey all,
>>>
>>> Here are the meeting notes from today's special topic call. Please feel
>>> free to add or correct anything.
>>>
>>> openid / connect / wiki / Browser Interactions Special Topics Call -
>>> 20210505 — Bitbucket
>>> <https://bitbucket.org/openid/connect/wiki/Browser%20Interactions%20Special%20Topics%20Call%20-%2020210505>
>>>
>>> Next meeting is in two weeks on May 19th (UTC).
>>>
>>> Tim
>>>
>>> _______________________________________________
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>
>>
>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>> privileged material for the sole use of the intended recipient(s). Any
>> review, use, distribution or disclosure by others is strictly prohibited.
>> If you have received this communication in error, please notify the sender
>> immediately by e-mail and delete the message and any file attachments from
>> your computer. Thank you.*
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20220428/73b4e574/attachment.html>