[Openid-specs-ab] [External Sender] Working Group Last Call for OpenID Connect Logout Specifications

Mike Jones Michael.Jones at microsoft.com
Thu May 5 10:35:52 UTC 2022 

We already have warnings in the two specs affected.  People are requested to review the warning text and propose updates to the wording, if desired.  The two warnings are at:

  *   https://openid.bitbucket.io/connect/openid-connect-session-1_0.html#ThirdPartyContent
  *   https://openid.bitbucket.io/connect/openid-connect-frontchannel-1_0.html#ThirdPartyContent

The warning in the Front-Channel spec is as follows:
4.1.  User Agents Blocking Access to Third-Party Content
Note that at the time of this writing, some User Agents (browsers) are starting to block access to third-party content by default to block some mechanisms used to track the End-User's activity across sites. Specifically, the third-party content being blocked is website content with an origin different that the origin of the focused User Agent window. Site data includes cookies and any web storage APIs (sessionStorage, localStorage, etc.).
This can prevent the ability for notifications from the OP at the RP from being able to access the RP's User Agent state to implement local logout actions. In particular, the frontchannel_logout_uri might not be able to access the RP's login state when rendered by the OP in an iframe because the iframe is in a different origin than the OP's page. Therefore, deployments of this specification are recommended to include defensive code to detect this situation, and if possible, notify the End-User that the requested RP logouts could not be performed. The details of the defensive code needed are beyond the scope of this specification; it may vary per User Agent and may vary over time, as the User Agent tracking prevention situation is fluid and continues to evolve.
OpenID Connect Back-Channel Logout 1.0<https://openid.bitbucket.io/connect/openid-connect-frontchannel-1_0.html#OpenID.BackChannel> [OpenID.BackChannel] is not known to be affected by these developments.
                                                       Thanks all,
                                                       -- Mike

From: Tim Cappalli <Tim.Cappalli at microsoft.com>
Sent: Thursday, May 5, 2022 12:12 PM
To: Artifact Binding/Connect Working Group <openid-specs-ab at lists.openid.net>; Mike Jones <Michael.Jones at microsoft.com>
Subject: Re: [Openid-specs-ab] [External Sender] Working Group Last Call for OpenID Connect Logout Specifications

My response didn't come through for some reason (thanks for letting me know Brian).

Can we add some kind of banner to these that says something like "These methods could be impacted by browser privacy changes < blah blah >" just to give the reader a heads up?

Tim
________________________________
From: Openid-specs-ab <openid-specs-ab-bounces at lists.openid.net<mailto:openid-specs-ab-bounces at lists.openid.net>> on behalf of Tim Cappalli via Openid-specs-ab <openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>>
Sent: Tuesday, May 3, 2022 11:28
To: Artifact Binding/Connect Working Group <openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>>; Mike Jones <Michael.Jones at microsoft.com<mailto:Michael.Jones at microsoft.com>>
Cc: Tim Cappalli <Tim.Cappalli at microsoft.com<mailto:Tim.Cappalli at microsoft.com>>; Artifact Binding/Connect Working Group <openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>>
Subject: Re: [Openid-specs-ab] [External Sender] Working Group Last Call for OpenID Connect Logout Specifications

From: Openid-specs-ab <openid-specs-ab-bounces at lists.openid.net<mailto:openid-specs-ab-bounces at lists.openid.net>> on behalf of Brian Campbell via Openid-specs-ab <openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>>
Date: Monday, May 2, 2022 at 22:36
To: Mike Jones <Michael.Jones at microsoft.com<mailto:Michael.Jones at microsoft.com>>
Cc: Brian Campbell <bcampbell at pingidentity.com<mailto:bcampbell at pingidentity.com>>, Artifact Binding/Connect Working Group <openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>>
Subject: Re: [Openid-specs-ab] [External Sender] Working Group Last Call for OpenID Connect Logout Specifications
It does make sense but doesn't particularly resonate for me. From what I've seen in the realm of work around browser privacy enhancements, the window for an open letter like that to be impactful has passed (arguably never existed but I digress..).  And I worry that pushing these documents forward now looks out of touch to those familiar with the current and coming browser changes and will be misleading to those unfamiliar. I seem to be in the minority in this viewpoint, however, so I won't press the issue.

On Fri, Apr 29, 2022 at 9:07 PM Mike Jones <Michael.Jones at microsoft.com<mailto:Michael.Jones at microsoft.com>> wrote:

To Brian's main question, as discussed in the working group call where we decided to have the WGLC, finalizing the logout specs puts a stake in the ground, documenting how the industry has been doing logout for OpenID Connect for years.



Finishing things matters.



Finally, there's a strategic aspect to it.  The board, at some point, may write an open letter to those proposing changing how the Web works, critiquing those changes, enumerating what would break,  and proposing an alternate path.  We would be in a stronger position for that letter if we are pointing to Final Specifications that are being broken, rather than Drafts.



Yes, we can always define new logout methods if forced to, but those would be in different specs.



I hope all of that makes sense.  I agree that this is a discussion worth having.



                                                       -- Mike



P.S.  RP-Initiated Logout isn't affected either.



From: Openid-specs-ab <openid-specs-ab-bounces at lists.openid.net<mailto:openid-specs-ab-bounces at lists.openid.net>> On Behalf Of Brian Campbell via Openid-specs-ab
Sent: Wednesday, April 27, 2022 2:03 PM
To: Andrii Deinega <andrii.deinega at gmail.com<mailto:andrii.deinega at gmail.com>>
Cc: Brian Campbell <bcampbell at pingidentity.com<mailto:bcampbell at pingidentity.com>>; Artifact Binding/Connect Working Group <openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>>
Subject: Re: [Openid-specs-ab] [External Sender] Working Group Last Call for OpenID Connect Logout Specifications



Yeah, back-channel isn't affected by 3rd party deprecation. I wrote "so much of the functionality" rather than "all of the functionality" in an attempt to raise the general question/concern without delving into or rehashing the specifics.



On Wed, Apr 27, 2022 at 2:28 PM Andrii Deinega <andrii.deinega at gmail.com<mailto:andrii.deinega at gmail.com>> wrote:

Brian, OpenID Connect Back-Channel Logout 1.0 from these four drafts won't be affected by any changes with 3rd party cookies from browsers' vendors, right?  Although, it somehow overlaps or "duplicates" efforts with the SSE WG.



Regards,

Andrii



On Wed, Apr 27, 2022 at 1:04 PM Brian Campbell via Openid-specs-ab <openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>> wrote:

I don't want to be too much of a wet blanket here but does it really make sense to push these through to Final knowing that changes to the treatment of 3rd party cookies in the browsers will break so much of the functionality they purport to provide?



On Tue, Apr 19, 2022 at 7:08 AM George Fletcher via Openid-specs-ab <openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>> wrote:

I support publication



On Mon, Apr 18, 2022 at 11:45 PM Mike Jones via Openid-specs-ab <openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>> wrote:

All tracked issues on the OpenID Connect logout specifications have been addressed.  These four specifications are:

  *   OpenID Connect RP-Initiated Logout 1.0
  *   OpenID Connect Session Management 1.0
  *   OpenID Connect Front-Channel Logout 1.0
  *   OpenID Connect Back-Channel Logout 1.0



This note begins a two-week Working Group Last Call (WGLC) period for these specifications.  This WGLC agreed to on today's working group call.  If there are changes you'd like to see to them before the 60-day OpenID Foundation-wide review leading to them becoming Final Specifications, please file issues by Monday, May 2, 2022  at https://bitbucket.org/openid/connect/issues?status=new&status=open&component=Logout<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fbitbucket.org%2Fopenid%2Fconnect%2Fissues%3Fstatus%3Dnew%26status%3Dopen%26component%3DLogout__%3B!!FrPt2g6CO4Wadw!eZSysFDeWtjSoZANCkUPwo_uHJUWz3vriRcW0qTIw3WvE3X0l3gYJiKWQts_qC8GroMFmvE%24&data=05%7C01%7Ctim.cappalli%40microsoft.com%7C268a94e7ad0f43f549c308da2d19af44%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637871886635220238%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=GX9kB6%2BR9j9dXtNDQCt7CDLq57tqVIz9%2B3ywF4RvGNo%3D&reserved=0>, tagging them with the component "Logout".  Or if you don't want any changes feel free to reply-all to this list saying that you support publication.



The four specifications are at:

  *   https://openid.net/specs/openid-connect-rpinitiated-1_0-02.html<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fopenid.net%2Fspecs%2Fopenid-connect-rpinitiated-1_0-02.html__%3B!!FrPt2g6CO4Wadw!eZSysFDeWtjSoZANCkUPwo_uHJUWz3vriRcW0qTIw3WvE3X0l3gYJiKWQts_qC8GaKnMhKw%24&data=05%7C01%7Ctim.cappalli%40microsoft.com%7C268a94e7ad0f43f549c308da2d19af44%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637871886635220238%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=u817KzL%2FNhGdjgZerkRjUcxVdfSk1eRFkI%2BwrvCi6R8%3D&reserved=0>
  *   https://openid.net/specs/openid-connect-session-1_0-31.html<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fopenid.net%2Fspecs%2Fopenid-connect-session-1_0-31.html__%3B!!FrPt2g6CO4Wadw!eZSysFDeWtjSoZANCkUPwo_uHJUWz3vriRcW0qTIw3WvE3X0l3gYJiKWQts_qC8G72BM7Rc%24&data=05%7C01%7Ctim.cappalli%40microsoft.com%7C268a94e7ad0f43f549c308da2d19af44%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637871886635220238%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=AkBS7dJNMD%2BRe1zj34FPw2Gf6wP5kkRBR%2FJLBuZ4Bdc%3D&reserved=0>
  *   https://openid.net/specs/openid-connect-frontchannel-1_0-05.html<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fopenid.net%2Fspecs%2Fopenid-connect-frontchannel-1_0-05.html__%3B!!FrPt2g6CO4Wadw!eZSysFDeWtjSoZANCkUPwo_uHJUWz3vriRcW0qTIw3WvE3X0l3gYJiKWQts_qC8GtYi8ZRo%24&data=05%7C01%7Ctim.cappalli%40microsoft.com%7C268a94e7ad0f43f549c308da2d19af44%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637871886635220238%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=qQBbQgev04miW1pwrooLClT90fpeVOBo2WRmmT9sFWg%3D&reserved=0>
  *   https://openid.net/specs/openid-connect-backchannel-1_0-07.html<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fopenid.net%2Fspecs%2Fopenid-connect-backchannel-1_0-07.html__%3B!!FrPt2g6CO4Wadw!eZSysFDeWtjSoZANCkUPwo_uHJUWz3vriRcW0qTIw3WvE3X0l3gYJiKWQts_qC8GyafPr70%24&data=05%7C01%7Ctim.cappalli%40microsoft.com%7C268a94e7ad0f43f549c308da2d19af44%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637871886635220238%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=oRygYRGRCMnMoapkI0hqPREl7mC8mWaq7o6xsCeHbVQ%3D&reserved=0>



We look forward to your review comments!



                            -- Mike (writing as a working group chair)



_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/openid-specs-ab__;!!FrPt2g6CO4Wadw!eZSysFDeWtjSoZANCkUPwo_uHJUWz3vriRcW0qTIw3WvE3X0l3gYJiKWQts_qC8Gn1tFsyo$<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Flists.openid.net%2Fmailman%2Flistinfo%2Fopenid-specs-ab__%3B!!FrPt2g6CO4Wadw!eZSysFDeWtjSoZANCkUPwo_uHJUWz3vriRcW0qTIw3WvE3X0l3gYJiKWQts_qC8Gn1tFsyo%24&data=05%7C01%7Ctim.cappalli%40microsoft.com%7C268a94e7ad0f43f549c308da2d19af44%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637871886635220238%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=Z2quw83YtV9e4m%2BuGi23x2SR%2FwCSSAPp9XhWYbYqkMk%3D&reserved=0>

________________________________

The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.

_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
https://lists.openid.net/mailman/listinfo/openid-specs-ab<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.openid.net%2Fmailman%2Flistinfo%2Fopenid-specs-ab&data=05%7C01%7Ctim.cappalli%40microsoft.com%7C268a94e7ad0f43f549c308da2d19af44%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637871886635220238%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=%2BtguSrGFaIaO39ZqPblEFzwH8wNWisPDSYycq0LjDHk%3D&reserved=0>

CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
https://lists.openid.net/mailman/listinfo/openid-specs-ab<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.openid.net%2Fmailman%2Flistinfo%2Fopenid-specs-ab&data=05%7C01%7Ctim.cappalli%40microsoft.com%7C268a94e7ad0f43f549c308da2d19af44%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637871886635270238%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=a6r1D16TEPEPdNEsS3SpffjAWfll1t6mlqUCVPMY%2FjI%3D&reserved=0>

CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.

CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20220505/b6868b6b/attachment.html>

More information about the Openid-specs-ab mailing list