On Thu, Nov 22, 2018 at 5:50 AM Torsten Lodderstedt <[email protected]> wrote:
> Hi George, > > > Am 20.11.2018 um 22:15 schrieb George Fletcher <[email protected]>: > > > > OIDC provides a "prompt=none" mechanism that allows the browser app to > request a new token in a hidden iframe. OAuth2 doesn't describe this flow.. > Note that full authentications of users should NOT happen in iframes due to > click-jacking attacks. > > Does this still work reliably given the limitations imposed by the > browserâs 3rd party cookie policies? > Fwiw, I haven't had any problem (yet) with my OpenID Connect Session Management implementation.
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
