<div dir="ltr"><div>+1, I've found this to be a problem for OIDC web clients that (as the spec states) "cryptographically binding the value of this parameter with a browser cookie." and requires special handling/workarounds as I found in my implementation</div><div><br></div><div>Hans.</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, May 31, 2019 at 4:00 PM George Fletcher via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<font face="Helvetica, Arial, sans-serif">Thanks for the
implementation testing and notes! --George</font><br>
<br>
<div class="gmail-m_-7964001476681464756moz-cite-prefix">On 5/28/19 3:35 AM, Filip Skokan via
Openid-specs-ab wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">One additional side-effect of `SameSite=Lax` being
the default that isn't quite that obvious
<div><br>
</div>
<div>The party receiving form_post responses does not get their
cookies since the request is not a top-level redirect but a
POST request from another Origin.</div>
<div><br>
</div>
<div>Best,
<div>
<div>
<div dir="ltr" class="gmail-m_-7964001476681464756gmail_signature"><b>Filip</b></div>
</div>
<br>
</div>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, 9 May 2019 at 17:36,
Filip Skokan <<a href="mailto:panva.ip@gmail.com" target="_blank">panva.ip@gmail.com</a>> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div>Here are my notes on the new "lax" cookie
sameSite value default.</div>
<div>??</div>
<blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote">?? ?? ?? ?? ?? ?? ?? George asked
whether this might affect iframe and postMessage
communication<br>
???????????????????????????????????????????????????? And whether this might
affect Session Management</blockquote>
<div><br>
</div>
<div>If cookies are set to "Lax" by default then the
following will not work</div>
<div>
<ul>
<li>session management 1.0 -??Session Status Change
Notification - OP cookies won't be loaded
resulting in error or changed events</li>
<li>web_message response mode - simple and relay
modes with no prompts - OP cookies won't be
loaded resulting in no session being loaded and
hence error=login_required or similar returned</li>
<li>any hidden iframe prompt=none way of
refreshing tokens??- OP cookies won't be loaded
resulting in no session being loaded and hence
error=login_required or similar returned</li>
<li>any hidden iframe
prompt=none&response_type=none way of
checking for "is the user still authenticated"??-
OP cookies won't be loaded resulting in no
session being loaded and hence
error=login_required or similar returned</li>
<li>frontchannel logout 1.0 - relying party iframe
- RP cookies won't be loaded resulting in some
implementations that depend on cookies to be
loaded not being able to drop the RP session<br>
</li>
</ul>
<div>I will be moving my OP implementation to use
"None" as sameSite value for OP Session Cookie as
well Session Management Client State cookies the
moment my web framework's cookie interface allows
that as value. This will hopefully be ignored by
browsers not implementing that value resulting in
the old default which is "None" implicitly and
will for sure keep existing behaviours for the
browsers that do.</div>
</div>
<br class="gmail-m_-7964001476681464756gmail-m_261687544401628172gmail-Apple-interchange-newline">
<div>
<div dir="ltr" class="gmail-m_-7964001476681464756gmail-m_261687544401628172gmail_signature">Best,</div>
<div dir="ltr" class="gmail-m_-7964001476681464756gmail-m_261687544401628172gmail_signature"><b>Filip
Skokan</b></div>
</div>
<br>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, 9 May 2019 at
17:19, Mike Jones via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div lang="EN-US">
<div class="gmail-m_-7964001476681464756gmail-m_261687544401628172gmail-m_-2571884953157384823WordSection1">
<p class="MsoNormal">Spec Call Notes 9-May-19</p>
<p class="MsoNormal">??</p>
<p class="MsoNormal">Mike Jones</p>
<p class="MsoNormal">Roland Hedberg</p>
<p class="MsoNormal">Brian Campbell</p>
<p class="MsoNormal">Torsten Lodderstedt</p>
<p class="MsoNormal">Bjorn Hjelm</p>
<p class="MsoNormal">George Fletcher</p>
<p class="MsoNormal">Tom Jones</p>
<p class="MsoNormal">??</p>
<p class="MsoNormal">OpenID Certification</p>
<p class="MsoNormal">?????????????????????????? Roland created
certification tests for Session, Front-Channel, and
Back-Channel, which are now being tested</p>
<p class="MsoNormal">?????????????????????????? Filip Skokan
provided a lot of early feedback on the OP tests</p>
<p class="MsoNormal">?????????????????????????? We now need
instructions for testing so others can do so</p>
<p class="MsoNormal">???????????????????????????????????????????????????? It
seems that there will need to be some
browser-specific instructions in some cases</p>
<p class="MsoNormal">?????????????????????????? There are RP logout
tests also but they haven't been tested yet by
others than Roland</p>
<p class="MsoNormal">??</p>
<p class="MsoNormal">Authentication Failed Error Code
Draft</p>
<p class="MsoNormal">?????????????????????????? This is issue #1029</p>
<p class="MsoNormal">?????????????????????????? The error code is
now unmet_authentication_requirements</p>
<p class="MsoNormal">?????????????????????????? Torsten submitted
and Mike will publish the working group draft</p>
<p class="MsoNormal">??</p>
<p class="MsoNormal">OpenID Connect for Identity
Proofing</p>
<p class="MsoNormal">?????????????????????????? Another new draft
was published at <a href="https://openid.net/specs/openid-connect-4-identity-assurance.html" target="_blank">https://openid.net/specs/openid-connect-4-identity-assurance.html</a></p>
<p class="MsoNormal">?????????????????????????? Torsten led a
discussion at IIW</p>
<p class="MsoNormal">?????????????????????????? A lot of good
feedback was received, including on requirements for
other jurisdictions</p>
<p class="MsoNormal">?????????????????????????? It was pointed out
that some proofs will require multiple documents</p>
<p class="MsoNormal">????????????????????????????????????????????????????
Torsten is working on updated syntax for that</p>
<p class="MsoNormal">???????????????????????????????????????????????????? See
issue #1082: Support for multiple proof sources</p>
<p class="MsoNormal">?????????????????????????? Reviews are
solicited</p>
<p class="MsoNormal">?????????????????????????? We agreed that
Torsten should present this during EIC</p>
<p class="MsoNormal">??</p>
<p class="MsoNormal">EIC Next Week</p>
<p class="MsoNormal">?????????????????????????? Roland, Torsten,
Bjorn, George, and Mike will be at EIC next week</p>
<p class="MsoNormal">??</p>
<p class="MsoNormal">Distinguishing first and third
party cookies</p>
<p class="MsoNormal">?????????????????????????? George let us know
that there's a spec that adds the same-site
qualifier to cookies</p>
<p class="MsoNormal">???????????????????????????????????????????????????? <a href="https://tools.ietf.org/html/draft-west-cookie-incrementalism-00" target="_blank">https://tools.ietf.org/html/draft-west-cookie-incrementalism-00</a></p>
<p class="MsoNormal">???????????????????????????????????????????????????? Values
are none, strict, and lax</p>
<p class="MsoNormal">???????????????????????????????????????????????????? Also
see <a href="https://web.dev/samesite-cookies-explained/" target="_blank">https://web.dev/samesite-cookies-explained/</a></p>
<p class="MsoNormal">???????????????????????????????????????????????????? and <a href="https://blog.chromium.org/2019/05/improving-privacy-and-security-on-web.html" target="_blank">https://blog.chromium.org/2019/05/improving-privacy-and-security-on-web.html</a></p>
<p class="MsoNormal">?????????????????????????? Google is adding
support for this to Chrome</p>
<p class="MsoNormal">?????????????????????????? George asked
whether this might affect iframe and postMessage
communication</p>
<p class="MsoNormal">???????????????????????????????????????????????????? And
whether this might affect Session Management</p>
<p class="MsoNormal">??</p>
<p class="MsoNormal">Open Issues</p>
<p class="MsoNormal">?????????????????????????? <a href="https://bitbucket.org/openid/connect/issues?status=new&status=open" target="_blank">https://bitbucket.org/openid/connect/issues?status=new&status=open</a></p>
<p class="MsoNormal">?????????????????????????? #1083: policy_uri,
tos_uri, logo_uri missing in IANA JWT claims
registry</p>
<p class="MsoNormal">???????????????????????????????????????????????????? Brian
asked whether Nat really meant the JWT Claims
registry or the AS Metadata registry</p>
<p class="MsoNormal">?????????????????????????? #1081: Need for a
persistence user identifier - a PUID</p>
<p class="MsoNormal">???????????????????????????????????????????????????? We
discussed that change of keys is a change of
identity for self-issued</p>
<p class="MsoNormal">???????????????????????????????????????????????????? We
discussed the ability to add a "did" claim to the ID
Token when it is useful</p>
<p class="MsoNormal">???????????????????????????????????????????????????? We
discussed that the "sub" value must not change at
key roll-over time</p>
<p class="MsoNormal">??</p>
<p class="MsoNormal">Transient Subject Identifier Type</p>
<p class="MsoNormal">?????????????????????????? At IIW, Davide
Vaghetti talked about the need for a transient
subject_type value, similar to that in SAML</p>
<p class="MsoNormal">?????????????????????????? Mike and John
encouraged him to write a specification for it</p>
<p class="MsoNormal">??</p>
<p class="MsoNormal">Next Call</p>
<p class="MsoNormal">?????????????????????????? The May 13th call
is cancelled due EIC</p>
<p class="MsoNormal">?????????????????????????? The next call is
Thursday, May 23 at 7am Pacific Time</p>
</div>
</div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote>
</div>
</blockquote>
</div>
<br>
<fieldset class="gmail-m_-7964001476681464756mimeAttachmentHeader"></fieldset>
<pre class="gmail-m_-7964001476681464756moz-quote-pre">_______________________________________________
Openid-specs-ab mailing list
<a class="gmail-m_-7964001476681464756moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a>
<a class="gmail-m_-7964001476681464756moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
<br>
</div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div style="font-size:small"><a href="mailto:hans.zandbelt@zmartzone.eu" target="_blank">hans.zandbelt@zmartzone.eu</a></div><div style="font-size:small">ZmartZone IAM - <a href="http://www.zmartzone.eu" target="_blank">www.zmartzone.eu</a><br></div></div></div></div></div></div></div>