Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixing 3rd party cookie issues by supporting LTI OIDC Login flow with LTI Client Side postMessages #129

Open
phaazebroek opened this issue Jan 15, 2024 · 5 comments
Open

Fixing 3rd party cookie issues by supporting LTI OIDC Login flow with LTI Client Side postMessages #129

phaazebroek opened this issue Jan 15, 2024 · 5 comments

Comments

@phaazebroek
Copy link

Thanks for you all your work with this library!!!

Recently browsers have become more strict with regard to 3rd party cookies, with consequences for LTI 1.3 tools within iframes not being loaded: https://www.unicon.net/insights/blogs/the-solution-for-third-party-cookies-in-lti-1.3-has-arrived

There is now an approach using postmassage that seems to be supported by D2L and blackboard:
https://www.imsglobal.org/spec/lti-cs-oidc/v0p1#problem-description-blocked-cookies-prevent-proper-oidc-flow

Would that be something you would consider implementing in this library?

Thanks!
@erikdonohoo
Copy link
Collaborator

We have had to address this as well. I am not a fan of IMS Globals solution for this. It was not very well thought out. To me, the answer is CHIPs or Partitioned Cookies. You can read more about that here.

https://developer.mozilla.org/en-US/docs/Web/Privacy/Partitioned_cookies

Firefox already partitions all cookies by default, and chrome is killing 3rd party cookies support slowly this year. Partitioned cookies allow the same behavior you have always expected. The one caveat to this is with Safari. But even safari has a solution.

We built our own Safari solution taking advantage of the hasStorageAccess and requestStorageAccess APIs. This allows you to ask for permission to store cookies still. We successfully use this ourselves for LTI 1.1 and LTI 1.3 and this solution should work going forward without any need to use IMS Globals hacky iframe communication.

@phaazebroek
Copy link
Author

Dear @erikdonohoo , thanks a lot, that is very helpful!

@dbhynds
Copy link
Member

dbhynds commented Jan 24, 2024

@erikdonohoo did you need to do anything special with this library to get that solution working? I still need to read up on the links shared by @phaazebroek, but if there are improvements we can make to this library to help support / accommodate these changes, I'd be open to it.

@snake
Copy link

snake commented Feb 1, 2024

^^ I'll echo what Erik said. Nothing special is needed other than jumping through the hoops the various browsers put in place. Safari needing the most work.

In PHP-land (relevant to this library) the opt-in attribute needed for CHIPS support ('Partitioned') isn't supported by core PHP yet either: See php/php-src#12646

@Lyanthropos
Copy link

Lyanthropos commented Apr 3, 2024
edited
Loading

@erikdonohoo Do you have any pointers or examples to share on how you implemented to Safari API? First time I'm running into this issue and I'm a little lost. Managed the Samesite/Secure workaround but would much prefer to avoid the postMessage solution.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@snake @dbhynds @erikdonohoo @phaazebroek @Lyanthropos