Comments (9)
Yeah, that would be great. @erik-anderson can you help us with that?
from meetings.
Based on the discussion on the last call, I think it was made clear that CNAMEs are not a viable solution. Specifically Safari, and Samsung browsers are already placing restrictions; so we need to find alternative solutions for this use-case.
A somewhat naive question that I have for the identity folks (perhaps @hlflanagan @gffletch or @samuelgoto can help with this) is - as a long-term solution, would you consider having rp.com
embed an iframe to rp.idp.com
and perform the login flow within the iframe? Are there security/other considerations that make this undesirable?
from meetings.
@samuelgoto This is definitely not a viable option from a Samsung Internet perspective. @krgovind if the rp.idp.com
iframe is embedded in rp.com
wouldn't the original issue still stand? i.e. rp.idp.com
will still need to use 3rd party cookies to manage user sessions after login on rp.com
since they're not SameSite. Or have I missed something here?
from meetings.
Thanks Sam for filing this issue! Do you want to discuss this during Thursday's teleconference?
from meetings.
"A company, say rp.com, hires the services of another company, say idp.com, to host and manage its authentication system, typically giving them a rp.idp.com subdomain." is a common pattern, yes. As I understand it, CNAMEs are complicated to maintain; doable, but less common.
from meetings.
One concern I have is that requiring CNAMEs to solve this problem seems overly prescriptive. There are additional complications that come with using the CNAME solution that many RPs do not see as being necessary (e.g. certificate management).
from meetings.
One concern I have is that requiring CNAMEs to solve this problem seems overly prescriptive. There are additional complications that come with using the CNAME solution that many RPs do not see as being necessary (e.g. certificate management).
I'd like to focus/narrow this issue/discussion on whether CNAMES is a viable option (as far as browsers are concerned) before assessing whether that's a good idea (as far as IDPs are concerned). If the result to viable comes back as negative, it doesn't matter whether this is a good idea or not. If it is viable, its merits can be compared against other alternatives, rather than in isolation.
from meetings.
@krgovind if the
rp.idp.com
iframe is embedded inrp.com
wouldn't the original issue still stand? i.e.rp.idp.com
will still need to use 3rd party cookies to manage user sessions after login onrp.com
since they're not SameSite. Or have I missed something here?
@lolaodelola - Indeed. We would recommend the iframe use partitioned cross-site cookies. For example, Chrome is experimenting with a new Partitioned
attribute (blog post). Partitioned state prevents cross-site tracking via state-based mechanisms.
from meetings.
would you consider having rp.com embed an iframe to rp.idp.com and perform the login flow within the iframe?
Ah, interesting question. I do believe that, in the case when the rp.idp.com is providing a service to rp.com, that rp.idp.com would be possible to be embedded into rp.com and take authentication credentials in it (e.g. usernames/passwords).
I don't think this is common, so there is probably something I'm missing here, but I can ask around to check what I'm getting wrong.
from meetings.
Related Issues (20)
- Request for a meeting on Storage Access API HOT 7
- :)
- Request for a meeting on the differing definitions of privacy HOT 1
- Request for meeting on First-Party Sets acceptance process HOT 7
- Cross-site cookies standardization HOT 10
- Cross-site cookies standardization, part 2 HOT 10
- Coordinating sessions with the fedidcg at the W3C TPAC 2022 HOT 1
- SAA Developer Use Cases: Google Workspace HOT 7
- Bounce Tracking Mitigations HOT 1
- TPAC: Invasive Fingerprinting Protection HOT 1
- TPAC: state of bounce tracking
- TPAC: heuristics to allow 3P cookies HOT 1
- TPAC: Storage Access API Graduation
- TPAC: Next steps on Login Status
- TPAC: Storage Access API Future HOT 2
- TPAC: Pop-up Partitioning / Isolation HOT 2
- Request for meeting on Bounce Tracking Proposal HOT 7
- September 2020 Virtual F2F HOT 3
- Request for meeting on Standardizing Do Not Sell (GPC) HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from meetings.