13L/ Browser APIs to enable OpenID Session Management and Privacy

Browser APIs to Enable OpenID Session Management and Privacy

Wednesday 13L

Convener: Sam Goto

Notes-taker(s): Kristina Yasuda

Tags for the session - technology discussed/ideas considered:

OpenID Connect, Browser, session management, privacy, logout

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps: 

How does logout in OIDC happen?

• More flexibility on the endpoint; additional log out

• <img> is for WS-Fed

• Possible for a browser to look at a redirect and classify it as RP-initiated logout?

  • Probably - look at the message structure, if knew endpoints

  • In the OpenID Config file. .well-known location

  • Do discovery, out of config piece identify endpoint, match and identify it is a logout call

  • More signals the browser can observe, more of user-intent it can catch and can provide identity centric flow

• Cannot observe as IdPs load iFrames to logout users

• Variety of mechanisms for starting the logout flows from the RP to the IdP

  • No affordance defined how the user would initiate

  • RP/Application decides what experience it wants to offer to the user

[[File:./media/image1.png|624x353px]]

• Classification problem - browsers do not know it is a logout now

• Easiest way

  • Browser asks for a user consent

  • Hard from a permission implementation perspective

  • Tim: No issues with this idea

  • If user logged into several OPs, user will not look to all the ones they log out from

• Option2

  • Browser classifies signing-in event

  • On log out does not prompt the user and IdP has no incentives to lie

• RPs get to determine if they want to log the user out or not

• Whether you can swap generic frame with fenced frame, frame can see it’s own cookies

  • May not be able to pass any parameters that you need to pass; no link decoration for framed frame

  • Subdomains also considered, but not well thought out

  • Logout URL - other option to add, but more work for RP: Resource metadata. Specification - not much adoption. It just feels like a place where RP metadata could be declared which could be useful in this context of the RP defining its metadata (e.g. what IDP it uses

  • draft-jones-oauth-resource-metadata-01 - OAuth 2.0 Protected Resource Metadata (ietf.org)

  • On digression: https://cloudidentity.com/blog/wp-content/uploads/2013/01/3252.image_5F00_04277494.png

  • Messy real-life situation - sign in to AAD with OIDC and WS-fed; register something at sign-in. From a user, same account, does not matter which protocol is used

• What needs more to be discussed what log out means to the user

  • User does not understand when they log out from office, they also log out from Azure

  • Also a developer choice

  • Relevant one, but not much browsers can do about

  • If a bigger picture is browser wants to be in the middle, browser can do something in this area too.

• Ugly part of logout - mechanisms to allow the range of services

  • IdP does not need to send back list of all RPs user is logging out from

• Idea not entirely off for IdP to tell a browser from there it wants to log user out from

  • Browser have confident of the user intent

  • Prompt the user for the intent - never a good idea

• Logout API that community can control a behaviour of

  • You call it, browser logs it, and tell where the user left of

  • Browser observes the login - passively. Heuristics - what if the browser has not seen it..

• some of this is already starting to show up in chrome canarie

  • https://chromium-review.googlesource.com/c/chromium/src/+/2837551

• If domain name ETLD of the issuer is the same as IdP, automatically logs out

• Logout seemed natural, but what else in session management will break?

  • Background refresh of tokens - viable alternative to use refresh tokens

  • Using iframe to extend lifetime of sessions - touching and moving it

  • Nonce - trying to prevent forgery; create some transient stuff - solution to do self 200

  • Account chooser: 5 possible IdPs, remembers last ones remembered - might become impossible

• First party state? Wrt nonce, cookies will be blocked even if it looks first party

  • Classification of sign-in, where user have valid endpoints, nonce case

  • Nonce cookie should be classified samesite=none?

  • If today you do above they will work, but samsite=none goes away, and with lax that is left, but with lax it will break because user did not explicitly ask for it

• Are samsite=none and samesite cookie not the same?

  • Top of navigation or not is about lax?

  • Cookie on top level navigation will continue

  • Lax requires explicit user action

  • samesite=lax will send a cookie but not with POST, nothing that implies first vs third party; not a defined set of restrictions.

• Can you send me the list of what you are not finding alternatives for? Will happen in Tim-Heather discussion context

  • Only one with an alternative is out-of-band renewal of tokens

• Looks like we can preserve session management if we figure out logout

  • Next would be good to see pseudo code with concrete scenario and sequence diagrams

  • Pseudo text: https://github.com/WICG/WebID/blob/main/cookies.md#logout

  • Prototype is being built

• AOB? At IIW?

  • Understand what third party cookies actually mean - no cookies at all? Partition cookies going away. The way firefox is doing it?