<div dir="ltr">regular SSO state is tracked via a plain old-fashioned cookie in all of my web client implementations; there's a fancy option in mod_auth_openidc to preserve POST data across authentication requests that relies on local storage (it is disabled by default as one could argue about the security constraints in such case)<div><br></div><div>Hans.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, May 31, 2019 at 6:07 PM George Fletcher <<a href="mailto:gffletch@aol.com">gffletch@aol.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<font face="Helvetica, Arial, sans-serif">Hans,<br>
<br>
Do you use local storage (in the browser) in any of your
implementations? It sounds like Apple is going to have Safari
clear local storage in certain cases if the site is deemed to be a
"tracking" site. Just wondering about that case as well.<br>
<br>
Thanks,<br>
George<br>
</font><br>
<div class="gmail-m_-3216478719827870281moz-cite-prefix">On 5/31/19 10:05 AM, Hans Zandbelt via
Openid-specs-ab wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>+1, I've found this to be a problem for OIDC web clients
that (as the spec states) "cryptographically binding the value
of this parameter with a browser cookie." and requires special
handling/workarounds as I found in my implementation</div>
<div><br>
</div>
<div>Hans.</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Fri, May 31, 2019 at 4:00
PM George Fletcher via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF"> <font face="Helvetica, Arial,
sans-serif">Thanks for the implementation testing and
notes! --George</font><br>
<br>
<div class="gmail-m_-3216478719827870281gmail-m_-7964001476681464756moz-cite-prefix">On
5/28/19 3:35 AM, Filip Skokan via Openid-specs-ab wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">One additional side-effect of
`SameSite=Lax` being the default that isn't quite that
obvious
<div><br>
</div>
<div>The party receiving form_post responses does not
get their cookies since the request is not a
top-level redirect but a POST request from another
Origin.</div>
<div><br>
</div>
<div>Best,
<div>
<div>
<div dir="ltr" class="gmail-m_-3216478719827870281gmail-m_-7964001476681464756gmail_signature"><b>Filip</b></div>
</div>
<br>
</div>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, 9 May 2019
at 17:36, Filip Skokan <<a href="mailto:panva.ip@gmail.com" target="_blank">panva.ip@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div>Here are my notes on the new "lax"
cookie sameSite value default.</div>
<div>??</div>
<blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote">?? ?? ?? ?? ?? ?? ??
George asked whether this might affect
iframe and postMessage communication<br>
???????????????????????????????????????????????????? And whether this
might affect Session Management</blockquote>
<div><br>
</div>
<div>If cookies are set to "Lax" by default
then the following will not work</div>
<div>
<ul>
<li>session management 1.0 -??Session
Status Change Notification - OP
cookies won't be loaded resulting in
error or changed events</li>
<li>web_message response mode - simple
and relay modes with no prompts - OP
cookies won't be loaded resulting in
no session being loaded and hence
error=login_required or similar
returned</li>
<li>any hidden iframe prompt=none way of
refreshing tokens??- OP cookies won't
be loaded resulting in no session
being loaded and hence
error=login_required or similar
returned</li>
<li>any hidden iframe
prompt=none&response_type=none way
of checking for "is the user still
authenticated"??- OP cookies won't be
loaded resulting in no session being
loaded and hence error=login_required
or similar returned</li>
<li>frontchannel logout 1.0 - relying
party iframe - RP cookies won't be
loaded resulting in some
implementations that depend on cookies
to be loaded not being able to drop
the RP session<br>
</li>
</ul>
<div>I will be moving my OP implementation
to use "None" as sameSite value for OP
Session Cookie as well Session
Management Client State cookies the
moment my web framework's cookie
interface allows that as value. This
will hopefully be ignored by browsers
not implementing that value resulting in
the old default which is "None"
implicitly and will for sure keep
existing behaviours for the browsers
that do.</div>
</div>
<br class="gmail-m_-3216478719827870281gmail-m_-7964001476681464756gmail-m_261687544401628172gmail-Apple-interchange-newline">
<div>
<div dir="ltr" class="gmail-m_-3216478719827870281gmail-m_-7964001476681464756gmail-m_261687544401628172gmail_signature">Best,</div>
<div dir="ltr" class="gmail-m_-3216478719827870281gmail-m_-7964001476681464756gmail-m_261687544401628172gmail_signature"><b>Filip
Skokan</b></div>
</div>
<br>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, 9 May
2019 at 17:19, Mike Jones via Openid-specs-ab
<<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div lang="EN-US">
<div class="gmail-m_-3216478719827870281gmail-m_-7964001476681464756gmail-m_261687544401628172gmail-m_-2571884953157384823WordSection1">
<p class="MsoNormal">Spec Call Notes
9-May-19</p>
<p class="MsoNormal">??</p>
<p class="MsoNormal">Mike Jones</p>
<p class="MsoNormal">Roland Hedberg</p>
<p class="MsoNormal">Brian Campbell</p>
<p class="MsoNormal">Torsten Lodderstedt</p>
<p class="MsoNormal">Bjorn Hjelm</p>
<p class="MsoNormal">George Fletcher</p>
<p class="MsoNormal">Tom Jones</p>
<p class="MsoNormal">??</p>
<p class="MsoNormal">OpenID Certification</p>
<p class="MsoNormal">??????????????????????????
Roland created certification tests for
Session, Front-Channel, and Back-Channel,
which are now being tested</p>
<p class="MsoNormal">??????????????????????????
Filip Skokan provided a lot of early
feedback on the OP tests</p>
<p class="MsoNormal">??????????????????????????
We now need instructions for testing so
others can do so</p>
<p class="MsoNormal">????????????????????????????????????????????????????
It seems that there will need to be some
browser-specific instructions in some
cases</p>
<p class="MsoNormal">??????????????????????????
There are RP logout tests also but they
haven't been tested yet by others than
Roland</p>
<p class="MsoNormal">??</p>
<p class="MsoNormal">Authentication Failed
Error Code Draft</p>
<p class="MsoNormal">??????????????????????????
This is issue #1029</p>
<p class="MsoNormal">??????????????????????????
The error code is now
unmet_authentication_requirements</p>
<p class="MsoNormal">??????????????????????????
Torsten submitted and Mike will publish
the working group draft</p>
<p class="MsoNormal">??</p>
<p class="MsoNormal">OpenID Connect for
Identity Proofing</p>
<p class="MsoNormal">??????????????????????????
Another new draft was published at <a href="https://openid.net/specs/openid-connect-4-identity-assurance.html" target="_blank">https://openid.net/specs/openid-connect-4-identity-assurance.html</a></p>
<p class="MsoNormal">??????????????????????????
Torsten led a discussion at IIW</p>
<p class="MsoNormal">??????????????????????????
A lot of good feedback was received,
including on requirements for other
jurisdictions</p>
<p class="MsoNormal">??????????????????????????
It was pointed out that some proofs will
require multiple documents</p>
<p class="MsoNormal">????????????????????????????????????????????????????
Torsten is working on updated syntax for
that</p>
<p class="MsoNormal">????????????????????????????????????????????????????
See issue #1082: Support for multiple
proof sources</p>
<p class="MsoNormal">??????????????????????????
Reviews are solicited</p>
<p class="MsoNormal">??????????????????????????
We agreed that Torsten should present this
during EIC</p>
<p class="MsoNormal">??</p>
<p class="MsoNormal">EIC Next Week</p>
<p class="MsoNormal">??????????????????????????
Roland, Torsten, Bjorn, George, and Mike
will be at EIC next week</p>
<p class="MsoNormal">??</p>
<p class="MsoNormal">Distinguishing first
and third party cookies</p>
<p class="MsoNormal">??????????????????????????
George let us know that there's a spec
that adds the same-site qualifier to
cookies</p>
<p class="MsoNormal">????????????????????????????????????????????????????
<a href="https://tools.ietf.org/html/draft-west-cookie-incrementalism-00" target="_blank">https://tools.ietf.org/html/draft-west-cookie-incrementalism-00</a></p>
<p class="MsoNormal">????????????????????????????????????????????????????
Values are none, strict, and lax</p>
<p class="MsoNormal">????????????????????????????????????????????????????
Also see <a href="https://web.dev/samesite-cookies-explained/" target="_blank">https://web.dev/samesite-cookies-explained/</a></p>
<p class="MsoNormal">????????????????????????????????????????????????????
and <a href="https://blog.chromium.org/2019/05/improving-privacy-and-security-on-web.html" target="_blank">https://blog.chromium.org/2019/05/improving-privacy-and-security-on-web.html</a></p>
<p class="MsoNormal">??????????????????????????
Google is adding support for this to
Chrome</p>
<p class="MsoNormal">??????????????????????????
George asked whether this might affect
iframe and postMessage communication</p>
<p class="MsoNormal">????????????????????????????????????????????????????
And whether this might affect Session
Management</p>
<p class="MsoNormal">??</p>
<p class="MsoNormal">Open Issues</p>
<p class="MsoNormal">??????????????????????????
<a href="https://bitbucket.org/openid/connect/issues?status=new&status=open" target="_blank">https://bitbucket.org/openid/connect/issues?status=new&status=open</a></p>
<p class="MsoNormal">??????????????????????????
#1083: policy_uri, tos_uri, logo_uri
missing in IANA JWT claims registry</p>
<p class="MsoNormal">????????????????????????????????????????????????????
Brian asked whether Nat really meant the
JWT Claims registry or the AS Metadata
registry</p>
<p class="MsoNormal">??????????????????????????
#1081: Need for a persistence user
identifier - a PUID</p>
<p class="MsoNormal">????????????????????????????????????????????????????
We discussed that change of keys is a
change of identity for self-issued</p>
<p class="MsoNormal">????????????????????????????????????????????????????
We discussed the ability to add a "did"
claim to the ID Token when it is useful</p>
<p class="MsoNormal">????????????????????????????????????????????????????
We discussed that the "sub" value must not
change at key roll-over time</p>
<p class="MsoNormal">??</p>
<p class="MsoNormal">Transient Subject
Identifier Type</p>
<p class="MsoNormal">??????????????????????????
At IIW, Davide Vaghetti talked about the
need for a transient subject_type value,
similar to that in SAML</p>
<p class="MsoNormal">??????????????????????????
Mike and John encouraged him to write a
specification for it</p>
<p class="MsoNormal">??</p>
<p class="MsoNormal">Next Call</p>
<p class="MsoNormal">??????????????????????????
The May 13th call is cancelled due EIC</p>
<p class="MsoNormal">??????????????????????????
The next call is Thursday, May 23 at 7am
Pacific Time</p>
</div>
</div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote>
</div>
</blockquote>
</div>
<br>
<fieldset class="gmail-m_-3216478719827870281gmail-m_-7964001476681464756mimeAttachmentHeader"></fieldset>
<pre class="gmail-m_-3216478719827870281gmail-m_-7964001476681464756moz-quote-pre">_______________________________________________
Openid-specs-ab mailing list
<a class="gmail-m_-3216478719827870281gmail-m_-7964001476681464756moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a>
<a class="gmail-m_-3216478719827870281gmail-m_-7964001476681464756moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
<br>
</div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote>
</div>
<br clear="all">
<div><br>
</div>
-- <br>
<div dir="ltr" class="gmail-m_-3216478719827870281gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div style="font-size:small"><a href="mailto:hans.zandbelt@zmartzone.eu" target="_blank">hans.zandbelt@zmartzone.eu</a></div>
<div style="font-size:small">ZmartZone IAM - <a href="http://www.zmartzone.eu" target="_blank">www.zmartzone.eu</a><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="gmail-m_-3216478719827870281mimeAttachmentHeader"></fieldset>
<pre class="gmail-m_-3216478719827870281moz-quote-pre">_______________________________________________
Openid-specs-ab mailing list
<a class="gmail-m_-3216478719827870281moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a>
<a class="gmail-m_-3216478719827870281moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
<br>
</div>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div style="font-size:small"><a href="mailto:hans.zandbelt@zmartzone.eu" target="_blank">hans.zandbelt@zmartzone.eu</a></div><div style="font-size:small">ZmartZone IAM - <a href="http://www.zmartzone.eu" target="_blank">www.zmartzone.eu</a><br></div></div></div></div></div></div>