[Openid-specs-ab] 3rd party and SameSite cookies (was Browser Interactions STC - Meeting Notes - 2021-05-05)

Sam Goto goto at google.com
Mon Feb 28 23:51:05 UTC 2022 

Hey Brian,

   Apologies for the delay, I know that this is an important question that
we haven't been able to answer affirmatively/appropriately, so bringing in
more folks here which would know best (apologies for the delay, a lot of
moving parts here on my side).

On Fri, May 7, 2021 at 2:37 PM Brian Campbell <bcampbell at pingidentity.com>
wrote:

> My apologies for joining this call late and in the middle of discussions
> on a topic that I'm hoping to reconcile understanding on. I said I'd send a
> message seeking clarification on that topic. So here is that message. But
> I'm struggling to articulate it so please bear with me.
>
> In identity protocols, a cross-site navigation resulting in a POST request
> is typically happens by the first site returning an HTML page that has a
> form that is auto-submitted via javascript to the second site. That's how
> SAML Post binding works. And so does the OIDC/OAuth form post response
> mode <https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html>.
>
>
> (As best I understand it anyway) a previously set cookie with
> SameSite=None will be sent by the browser on such a top-level cross-site
> POST request. Some folks have suggested that that will change with 3rd
> party cookies going away and that even a SameSite=None cookie will no
> longer be sent in that situation. But in my mental model of this stuff, the
> situation will be unchanged by 3rd party cookies going away - it's a
> cross-site request but because it is a top-level navigation the cookies are
> 1st party. SameSite enforcement is in place so SameSite=None cookies will
> be sent. But it's not 3rd party so is not impacted by disappearance or
> partitioning of 3rd party cookies.
>
> Anyway, that's what I'm hoping Sam can provide clarification on. Mostly
> for the benefit of my own understanding but also for the benefit of the
> group here as recent discussions have suggested that folks have divergent
> understanding and expectations of things.
>
> That behaviour changing would be problematic, for example and as others
> have pointed out, because OIDC RPs receiving an ID token via the form post
> response mode need the 'nonce cookie
> <https://openid.net/specs/openid-connect-core-1_0.html#NonceNotes>' value
> (which ties the ID token to the browser the SSO flow was initiated on) at
> that point in validating the token. Maybe further confusing things is that
> at least in Chrome there was a temporary(?) exception made for the nonce
> cookie case with the rollout of the SameSite default change to Lax - the
> "Lax + POST mitigation" section at
> https://www.chromium.org/updates/same-site/faq and it looks like there's
> an attempt to capture that in the coming update to RFC 6265
> https://github.com/httpwg/http-extensions/pull/1435/files
>
>
>

I am probably the Sam in question, but I'd prefer to get some more
authoritative answer from Rowan.

Rowan, can you clarify how you'd expect SameSite=None to behave going
forward?


>
>
>
>
>
>
>
>
>
>
>
>
> On Wed, May 5, 2021 at 12:49 PM Tim Cappalli via Openid-specs-ab <
> openid-specs-ab at lists.openid.net> wrote:
>
>> Hey all,
>>
>> Here are the meeting notes from today's special topic call. Please feel
>> free to add or correct anything.
>>
>> openid / connect / wiki / Browser Interactions Special Topics Call -
>> 20210505 — Bitbucket
>> <https://bitbucket.org/openid/connect/wiki/Browser%20Interactions%20Special%20Topics%20Call%20-%2020210505>
>>
>> Next meeting is in two weeks on May 19th (UTC).
>>
>> Tim
>>
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20220228/571832ad/attachment.html>

More information about the Openid-specs-ab mailing list