OIDC Browser Interactions Special Topics Call

2021-05-05

Attendees

{Heather} May 25/26 are still the targeted dates, but may change. Google, Microsoft and Facebook are all confirmed for participation. Still trying to get Apple and Mozilla involved. Go/No Go coming soon

{Heather}

Meeting was very well attended (60 people)
Slides from the meeting
Discussion around adding a new attribute to a cookie to clear on browser close
{Vittorio} People asked: "Why are browsers preserving session on browser close?". Many apps want a persistent cookie so many will use persistent anyway.
{Vittorio} Before engaging with HTTP folks at IETF, should discuss further with Scott and team
{Heather} Having the tool in the toolbox would be helpful
{Vittorio} SameSite is still draft at IETF. Seems some of these cookies attributes are born elsewhere.
{Sam Goto} Each browser has their own process. Chrome uses this https://www.chromium.org/blink/launching-features. Intent to ship is the last call (often after a year of work). Intent to Experiment is a stronger signal where real users are exposed. TAG reviews happen here and also ask for other browser positions.
{Vittorio} Something lower level like a cookie attribute
{Sam Goto} should have been same process for SameSite https://groups.google.com/a/chromium.org/g/blink-dev/c/-unZxHbw8Pc
{Heather} First time many folks understood that this wasn't just about 3P cooies, ex: link decoration. Hopefully will trigger more interest and engagement

{Heather} Multilateral SAML one doesn't touch on 3P cookies
{Sam Goto} Concerned about premature generalization. Prefer a few well written ones
{Vittorio} Scenarios are designed to have information in a way that's easy to be consumed
{Heather} Trying to avoid suggesting solutions in these use cases
{Sam Goto} Someone needs to look at the layers all the way through
{Heather} would like to have some kind of pipeline for use cases