Re: [OAUTH-WG] Full Third-Party Cookie Blocking
David Waite <david@alkaline-solutions.com> Wed, 25 March 2020 18:38 UTC
Return-Path: <david@alkaline-solutions.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B723E3A0D8F for <oauth@ietfa.amsl.com>; Wed, 25 Mar 2020 11:38:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=alkaline-solutions.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dMP-25THX3SA for <oauth@ietfa.amsl.com>; Wed, 25 Mar 2020 11:38:08 -0700 (PDT)
Received: from mail.alkaline-solutions.com (caesium6.alkaline.solutions [157.230.133.164]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ADF803A0CDC for <oauth@ietf.org>; Wed, 25 Mar 2020 11:38:08 -0700 (PDT)
Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by mail.alkaline-solutions.com (Postfix) with ESMTPA id AAF2B385FA6; Wed, 25 Mar 2020 18:38:05 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alkaline-solutions.com; s=dkim; t=1585161486; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=n7uqy5azIjrQNWZB0qOUZvlHaZUar+PF7UVGr+NnD1A=; b=ls4ELk2es+RQrKA2TKqN5+hjwWcoqzYWz96B0fRoB8FZyj2+jti2G7iVGH+joeIvGrJKCE zWkO5KDzNJe6cGoTKOrKT1rbuNiN+x+EeZ91/bMh3q0NQVeBJMJZ/QJWzb3pgy8A6SZp2P D/ly6G0bGxwKFCL5QSt+TIMN1y6i/wU=
From: David Waite <david@alkaline-solutions.com>
Message-Id: <F959AB40-FC75-4E86-9291-3D64034A3B7E@alkaline-solutions.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_76318135-1843-4D25-98BB-629DF5CB78A3"
Mime-Version: 1.0
Date: Wed, 25 Mar 2020 12:38:04 -0600
In-Reply-To: <CAO7Ng+t=st1Ue_B6EWRqqyfoMVNs4RcPSpFVszk_efX+9=bi1w@mail.gmail.com>
Cc: "oauth@ietf.org" <oauth@ietf.org>
To: Dominick Baier <dbaier@leastprivilege.com>
References: <CAO7Ng+t=st1Ue_B6EWRqqyfoMVNs4RcPSpFVszk_efX+9=bi1w@mail.gmail.com>
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=alkaline-solutions.com; s=dkim; t=1585161487; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=n7uqy5azIjrQNWZB0qOUZvlHaZUar+PF7UVGr+NnD1A=; b=g4fzqSKZ7QkHunhlFjlFqn+wbzrfxrPaqwsi9G1roeCPHBYZYBsFWS7/tsEfbgYHZzF2oH dCZN6QoiZwelPeM5T22qHZi8GHFu5sxGT7PxeRrkQ1qKFrjUK5L5bIf4Lkc3jL2gC8n80t ysFJwAPpzTxIthfPDkm+KVr8BO7E5GA=
ARC-Seal: i=1; s=dkim; d=alkaline-solutions.com; t=1585161487; a=rsa-sha256; cv=none; b=WL5xbPkK7M+K7jtGHzedus6wlOMYOCViBFkZxP5fw4HXANv1Euxvb0vC430blgTmA5NwKu NSkEtyz/F9GcuCNGKE7VWy5OseaBvGZWUY8kXzDx+aOAhYeR3FXF5cGl2mP1jUsL4MjBCW fBu885vBDKiX6GiQ/K+u0GSKgPfrMw8=
ARC-Authentication-Results: i=1; mail.alkaline-solutions.com; auth=pass smtp.auth=david@alkaline-solutions.com smtp.mailfrom=david@alkaline-solutions.com
X-Spamd-Bar: +
Authentication-Results: mail.alkaline-solutions.com; auth=pass smtp.auth=david@alkaline-solutions.com smtp.mailfrom=david@alkaline-solutions.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/MUxMHbrJFN7a4tBBOebPp3xdrpU>
Subject: Re: [OAUTH-WG] Full Third-Party Cookie Blocking
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Mar 2020 18:38:20 -0000
More specifically, SSO will not work anymore without either: - prompting the user (via Storage Access API) - using explicit front-channel mechanisms (popups and redirects) - using back-channel mechanisms (refresh tokens and some backchannel logout infrastructure) (FWIW, I proposed a back-channel session management mechanism which would work for SPA apps under Connect, https://bitbucket.org/openid/connect/src/default/distributed-token-validity-api.txt) In my experience, the vast majority of apps only care about SSO from a user experience perspective, and don’t want synchronized session management. Many which do want session management are hosted _mostly_ under one origin since the organization is trying to hide that they are disparate applications - but many have exceptions, such as *.google.com and YouTube.com -DW > On Mar 25, 2020, at 7:55 AM, Dominick Baier <dbaier@leastprivilege.com> wrote: > > This > > https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/ <https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/> > > Really means that “modern” SPAs based on a combination of OIDC and OAuth will not work anymore > > both > > * silent-renew for access token management > * OIDC JS session notifications > > Will not work anymore. Or don’t work anymore already today - e.g. in Brave. > > This means SPAs would need to be forced to do refresh tokens - and there is no solution right now for session notifications. > > Maybe the browser apps BCP / OAuth 2.1 should strictly advice against the “browser apps without a back-end” scenario and promote the BFF style architecture instead. > > Cheers > ——— > Dominick Baier > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
- [OAUTH-WG] Full Third-Party Cookie Blocking Dominick Baier
- Re: [OAUTH-WG] Full Third-Party Cookie Blocking Torsten Lodderstedt
- Re: [OAUTH-WG] Full Third-Party Cookie Blocking David Waite