Browser Identity Interactions
Full Title or Meme
The full range of Browser Identity Interactions from the initial identity creation to large scale federation interactions.
- The OpenID Connect protocol was the first major successful method to create Single Sign On (SSO) functionality in commonly available browsers.
- This protocol worked its magic by a method now known as front-channel even though that term does not appear in the OpenID Connect spec.
- Front channel communications relies on communications from the IdP to the RP to flow through the user's browser, rather than the back channel flow directly between the Idp and RP.
- The problem occurs when the RP and IdP are not in the same domain (or origin see wiki page Cross-Origin iFrame for descriptions of those terms.
- Will not be able to detect the IDP session changes, hence will not be able to log out from the client application using front channel (back channel still works).
- Sign in functionality will work, but there is no SSO experience between multiple applications. That is between sites that are not recognized as first party sites. This applies only to RPs that embed the sign in page in the RP site as an iFrame, pop up or similar.
- The password manager (PM) is a pluggable feature in the browser. Generally the HTTP hooks are standardized, but the manager itself does not appear to be.
- The PM can recognize when a user has been at a site before and that the site is asking for a user name and password.
- The use of third party cookies to track the user from the RP to the IdP is the same method used by advertisers to track user behavior on the Web.
- The browsers all block some use of third party cookies in 2020 and are set to soon block all use of third party cookies.
- Most of the money made on the web is through advertising. Companies like Google cannot afford the loss of their primary revenue stream.