<div dir="ltr">yeah, every legacy SAML SPs needs some level of development... :p</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">2019年5月28日(火) 17:57 Filip Skokan <<a href="mailto:panva.ip@gmail.com">panva.ip@gmail.com</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>That's what the explicit value `None` is for then :)</div><br clear="all"><div><div dir="ltr" class="gmail-m_-8505500246650701723gmail_signature">S pozdravem,<br><b>Filip Skokan</b></div></div><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, 28 May 2019 at 10:56, nov matake <<a href="mailto:nov@matake.jp" target="_blank">nov@matake.jp</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div dir="auto">oh...SAML is dead...<br><br><div id="gmail-m_-8505500246650701723gmail-m_-4483733827825654404AppleMailSignature" dir="ltr">Sent from my iPhone</div><div dir="ltr"><br>On May 28, 2019, at 16:35, Filip Skokan via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>> wrote:<br><br></div><blockquote type="cite"><div dir="ltr"><div dir="ltr">One additional side-effect of `SameSite=Lax` being the default that isn't quite that obvious<div><br></div><div>The party receiving form_post responses does not get their cookies since the request is not a top-level redirect but a POST request from another Origin.</div><div><br></div><div>Best,<div><div><div dir="ltr" class="gmail-m_-8505500246650701723gmail-m_-4483733827825654404gmail_signature"><b>Filip</b></div></div><br></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, 9 May 2019 at 17:36, Filip Skokan <<a href="mailto:panva.ip@gmail.com" target="_blank">panva.ip@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div>Here are my notes on the new "lax" cookie sameSite value default.</div><div> </div><blockquote style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex" class="gmail_quote"> George asked whether this might affect iframe and postMessage communication<br> And whether this might affect Session Management</blockquote><p class="MsoNormal" style="color:rgb(0,0,0)"><u></u></p><p class="MsoNormal" style="color:rgb(0,0,0)"><u></u></p><div><br></div><div>If cookies are set to "Lax" by default then the following will not work</div><div><ul><li>session management 1.0 - Session Status Change Notification - OP cookies won't be loaded resulting in error or changed events</li><li>web_message response mode - simple and relay modes with no prompts - OP cookies won't be loaded resulting in no session being loaded and hence error=login_required or similar returned</li><li>any hidden iframe prompt=none way of refreshing tokens - OP cookies won't be loaded resulting in no session being loaded and hence error=login_required or similar returned</li><li>any hidden iframe prompt=none&response_type=none way of checking for "is the user still authenticated" - OP cookies won't be loaded resulting in no session being loaded and hence error=login_required or similar returned</li><li>frontchannel logout 1.0 - relying party iframe - RP cookies won't be loaded resulting in some implementations that depend on cookies to be loaded not being able to drop the RP session<br></li></ul><div>I will be moving my OP implementation to use "None" as sameSite value for OP Session Cookie as well Session Management Client State cookies the moment my web framework's cookie interface allows that as value. This will hopefully be ignored by browsers not implementing that value resulting in the old default which is "None" implicitly and will for sure keep existing behaviours for the browsers that do.</div></div><br class="gmail-m_-8505500246650701723gmail-m_-4483733827825654404gmail-m_261687544401628172gmail-Apple-interchange-newline"><div><div dir="ltr" class="gmail-m_-8505500246650701723gmail-m_-4483733827825654404gmail-m_261687544401628172gmail_signature">Best,</div><div dir="ltr" class="gmail-m_-8505500246650701723gmail-m_-4483733827825654404gmail-m_261687544401628172gmail_signature"><b>Filip Skokan</b></div></div><br></div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, 9 May 2019 at 17:19, Mike Jones via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
<div lang="EN-US">
<div class="gmail-m_-8505500246650701723gmail-m_-4483733827825654404gmail-m_261687544401628172gmail-m_-2571884953157384823WordSection1">
<p class="MsoNormal">Spec Call Notes 9-May-19<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Mike Jones<u></u><u></u></p>
<p class="MsoNormal">Roland Hedberg<u></u><u></u></p>
<p class="MsoNormal">Brian Campbell<u></u><u></u></p>
<p class="MsoNormal">Torsten Lodderstedt<u></u><u></u></p>
<p class="MsoNormal">Bjorn Hjelm<u></u><u></u></p>
<p class="MsoNormal">George Fletcher<u></u><u></u></p>
<p class="MsoNormal">Tom Jones<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">OpenID Certification<u></u><u></u></p>
<p class="MsoNormal"> Roland created certification tests for Session, Front-Channel, and Back-Channel, which are now being tested<u></u><u></u></p>
<p class="MsoNormal"> Filip Skokan provided a lot of early feedback on the OP tests<u></u><u></u></p>
<p class="MsoNormal"> We now need instructions for testing so others can do so<u></u><u></u></p>
<p class="MsoNormal"> It seems that there will need to be some browser-specific instructions in some cases<u></u><u></u></p>
<p class="MsoNormal"> There are RP logout tests also but they haven't been tested yet by others than Roland<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Authentication Failed Error Code Draft<u></u><u></u></p>
<p class="MsoNormal"> This is issue #1029<u></u><u></u></p>
<p class="MsoNormal"> The error code is now unmet_authentication_requirements<u></u><u></u></p>
<p class="MsoNormal"> Torsten submitted and Mike will publish the working group draft<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">OpenID Connect for Identity Proofing<u></u><u></u></p>
<p class="MsoNormal"> Another new draft was published at <a href="https://openid.net/specs/openid-connect-4-identity-assurance.html" target="_blank">https://openid.net/specs/openid-connect-4-identity-assurance.html</a><u></u><u></u></p>
<p class="MsoNormal"> Torsten led a discussion at IIW<u></u><u></u></p>
<p class="MsoNormal"> A lot of good feedback was received, including on requirements for other jurisdictions<u></u><u></u></p>
<p class="MsoNormal"> It was pointed out that some proofs will require multiple documents<u></u><u></u></p>
<p class="MsoNormal"> Torsten is working on updated syntax for that<u></u><u></u></p>
<p class="MsoNormal"> See issue #1082: Support for multiple proof sources<u></u><u></u></p>
<p class="MsoNormal"> Reviews are solicited<u></u><u></u></p>
<p class="MsoNormal"> We agreed that Torsten should present this during EIC<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">EIC Next Week<u></u><u></u></p>
<p class="MsoNormal"> Roland, Torsten, Bjorn, George, and Mike will be at EIC next week<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Distinguishing first and third party cookies<u></u><u></u></p>
<p class="MsoNormal"> George let us know that there's a spec that adds the same-site qualifier to cookies<u></u><u></u></p>
<p class="MsoNormal"> <a href="https://tools.ietf.org/html/draft-west-cookie-incrementalism-00" target="_blank">https://tools.ietf.org/html/draft-west-cookie-incrementalism-00</a><u></u><u></u></p>
<p class="MsoNormal"> Values are none, strict, and lax<u></u><u></u></p>
<p class="MsoNormal"> Also see <a href="https://web.dev/samesite-cookies-explained/" target="_blank">https://web.dev/samesite-cookies-explained/</a><u></u><u></u></p>
<p class="MsoNormal"> and <a href="https://blog.chromium.org/2019/05/improving-privacy-and-security-on-web.html" target="_blank">https://blog.chromium.org/2019/05/improving-privacy-and-security-on-web.html</a><u></u><u></u></p>
<p class="MsoNormal"> Google is adding support for this to Chrome<u></u><u></u></p>
<p class="MsoNormal"> George asked whether this might affect iframe and postMessage communication<u></u><u></u></p>
<p class="MsoNormal"> And whether this might affect Session Management<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Open Issues<u></u><u></u></p>
<p class="MsoNormal"> <a href="https://bitbucket.org/openid/connect/issues?status=new&status=open" target="_blank">https://bitbucket.org/openid/connect/issues?status=new&status=open</a><u></u><u></u></p>
<p class="MsoNormal"> #1083: policy_uri, tos_uri, logo_uri missing in IANA JWT claims registry<u></u><u></u></p>
<p class="MsoNormal"> Brian asked whether Nat really meant the JWT Claims registry or the AS Metadata registry<u></u><u></u></p>
<p class="MsoNormal"> #1081: Need for a persistence user identifier - a PUID<u></u><u></u></p>
<p class="MsoNormal"> We discussed that change of keys is a change of identity for self-issued<u></u><u></u></p>
<p class="MsoNormal"> We discussed the ability to add a "did" claim to the ID Token when it is useful<u></u><u></u></p>
<p class="MsoNormal"> We discussed that the "sub" value must not change at key roll-over time<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Transient Subject Identifier Type<u></u><u></u></p>
<p class="MsoNormal"> At IIW, Davide Vaghetti talked about the need for a transient subject_type value, similar to that in SAML<u></u><u></u></p>
<p class="MsoNormal"> Mike and John encouraged him to write a specification for it<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Next Call<u></u><u></u></p>
<p class="MsoNormal"> The May 13th call is cancelled due EIC<u></u><u></u></p>
<p class="MsoNormal"> The next call is Thursday, May 23 at 7am Pacific Time<u></u><u></u></p>
</div>
</div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div>
</blockquote></div>
</div></blockquote><blockquote type="cite"><div dir="ltr"><span>_______________________________________________</span><br><span>Openid-specs-ab mailing list</span><br><span><a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a></span><br><span><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a></span><br></div></blockquote></div></blockquote></div>
</blockquote></div>