Difference between revisions of "Browser Identity Interactions"
From MgmtWiki
(→Context) |
(→Context) |
||
| Line 8: | Line 8: | ||
** The problem occurs when the RP and IdP are not in the same domain (or origin see wiki page [[Cross-Origin iFrame]] for descriptions of those terms. | ** The problem occurs when the RP and IdP are not in the same domain (or origin see wiki page [[Cross-Origin iFrame]] for descriptions of those terms. | ||
** Will not be able to detect the IDP session changes, hence will not be able to log out from the client application using front channel (back channel still works). | ** Will not be able to detect the IDP session changes, hence will not be able to log out from the client application using front channel (back channel still works). | ||
| − | ** Login functionality will work, but there is no SSO experience between multiple applications. That is between | + | ** Login functionality will work, but there is no SSO experience between multiple applications. That is between sites that are not recognized as first party sites. |
* The password manager (PM) is a pluggable feature in the browser. Generally the HTTP hooks are standardized, but the manager itself does not appear to be. | * The password manager (PM) is a pluggable feature in the browser. Generally the HTTP hooks are standardized, but the manager itself does not appear to be. | ||
** The PM can recognize when a user has been at a site before and that the site is asking for a user name and password. | ** The PM can recognize when a user has been at a site before and that the site is asking for a user name and password. | ||
Revision as of 10:11, 3 June 2021
Full Title or Meme
The full range of Browser Identity Interactions from the initial identity creation to large scale federation interactions.
Context
- The OpenID Connect protocol was the first major successful method to create Single Sign On (SSO) functionality in commonly available browsers.
- This protocol worked its magic by a method now known as front-channel even though that term does not appear in the OpenID Connect spec.
- Front channel communications relies on communications from the IdP to the RP to flow through the user's browser, rather than the back channel flow directly between the Idp and RP.
- The problem occurs when the RP and IdP are not in the same domain (or origin see wiki page Cross-Origin iFrame for descriptions of those terms.
- Will not be able to detect the IDP session changes, hence will not be able to log out from the client application using front channel (back channel still works).
- Login functionality will work, but there is no SSO experience between multiple applications. That is between sites that are not recognized as first party sites.
- The password manager (PM) is a pluggable feature in the browser. Generally the HTTP hooks are standardized, but the manager itself does not appear to be.
- The PM can recognize when a user has been at a site before and that the site is asking for a user name and password.
Problems
- The use of third party cookies to track the user from the RP to the IdP is the same method used by advertisers to track user behavior on the Web.
- The browsers all block some use of third party cookies in 2020 and are set to soon block all use of third party cookies.
- Most of the money made on the web is through advertising. Companies like Google cannot afford the loss of their primary revenue stream.
