<div dir="ltr"><div>Hey Brian,</div><div><br></div><div> Apologies for the delay, I know that this is an important question that we haven't been able to answer affirmatively/appropriately, so bringing in more folks here which would know best (apologies for the delay, a lot of moving parts here on my side).</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, May 7, 2021 at 2:37 PM Brian Campbell <<a href="mailto:bcampbell@pingidentity.com">bcampbell@pingidentity.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>My apologies for joining this call late and in the middle of discussions on a topic that I'm hoping to reconcile understanding on. I said I'd send a message seeking clarification on that topic. So here is that message. But I'm struggling to articulate it so please bear with me.</div><div><br></div><div>In identity protocols, a cross-site navigation resulting in a POST request is typically happens by the first site returning an HTML page that has a form that is auto-submitted via javascript to the second site. That's how SAML Post binding works. And so does the OIDC/OAuth <a href="https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html" target="_blank">form post response mode</a>. </div><div><br></div><div>(As best I understand it anyway) a previously set cookie with SameSite=None will be sent by the browser on such a top-level cross-site POST request. Some folks have suggested that that will change with 3rd party cookies going away and that even a SameSite=None cookie will no longer be sent in that situation. But in my mental model of this stuff, the situation will be unchanged by 3rd party cookies going away - it's a cross-site request but because it is a top-level navigation the cookies are 1st party. SameSite enforcement is in place so SameSite=None cookies will be sent. But it's not 3rd party so is not impacted by disappearance or partitioning of 3rd party cookies. <br></div><div><br></div><div>Anyway, that's what I'm hoping Sam can provide clarification on. Mostly for the benefit of my own understanding but also for the benefit of the group here as recent discussions have suggested that folks have divergent understanding and expectations of things. </div><div><br></div><div>That behaviour changing would be problematic, for example and as others have pointed out, because OIDC RPs receiving an ID token via the form post response mode need the '<a href="https://openid.net/specs/openid-connect-core-1_0.html#NonceNotes" target="_blank">nonce cookie</a>' value (which ties the ID token to the browser the SSO flow was initiated on) at that point in validating the token. Maybe further confusing things is that at least in Chrome there was a temporary(?) exception made for the nonce cookie case with the rollout of the SameSite default change to Lax - the "Lax + POST mitigation" section at <a href="https://www.chromium.org/updates/same-site/faq" target="_blank">https://www.chromium.org/updates/same-site/faq</a> and it looks like there's an attempt to capture that in the coming update to RFC 6265 <a href="https://github.com/httpwg/http-extensions/pull/1435/files" target="_blank">https://github.com/httpwg/http-extensions/pull/1435/files</a></div><div><br></div><div> <br></div></div></blockquote><div><br></div><div>I am probably the Sam in question, but I'd prefer to get some more authoritative answer from Rowan.</div><div><br></div><div>Rowan, can you clarify how you'd expect SameSite=None to behave going forward? </div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, May 5, 2021 at 12:49 PM Tim Cappalli via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div style="font-family:Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
Hey all,<div><br>
</div>
<div>Here are the meeting notes from today's special topic call. Please feel free to add or correct anything.</div>
<div><br>
</div>
<div><a href="https://bitbucket.org/openid/connect/wiki/Browser%20Interactions%20Special%20Topics%20Call%20-%2020210505" id="gmail-m_-5230027516895777383m_4118906415326527272gmail-m_6053214561762467804LPlnk613739" target="_blank">openid / connect / wiki / Browser Interactions Special Topics Call - 20210505 — Bitbucket</a></div>
<div><br>
</div>
<div>Next meeting is in two weeks on May 19th (UTC).</div>
<div><br>
</div>
Tim<br>
</div>
<div>
<div style="font-family:Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<div id="gmail-m_-5230027516895777383m_4118906415326527272gmail-m_6053214561762467804Signature">
<div name="divtagdefaultwrapper">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<div style="font-weight:normal;text-align:start"></div>
</div>
</div>
</div>
</div>
</div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div></div>
<br>
<i style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:rgb(255,255,255);font-family:proxima-nova-zendesk,system-ui,-apple-system,system-ui,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",Arial,sans-serif;color:rgb(85,85,85)"><span style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:transparent;font-family:proxima-nova-zendesk,system-ui,-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",Arial,sans-serif;font-weight:600"><font size="2">CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.</font></span></i></blockquote></div></div>