Thomas, did you test with ITP Debug Mode? If you haven't seen it, this is how to set it up: https://webkit.org/blog/8387/itp-debug-mode-in-safari-technology-preview-62/
When I tested a couple months ago, the iframe flows were the ones that were most affected by ITP2 - the hidden iframe token refresh didn't work, and it seemed like the session management flows would also break (although didn't test them explicitly). If the domain is marked as a tracker and it's loaded in an iframe, it will not have access to its first party cookies. This differs from ITP 1.1, where there was a 1-day window where it would work before the cookies were purged. Safari did add some new storage methods to get access to these cookies, but they don't really help with these non-interactive flows because by design they require user interaction. On Fri, Nov 23, 2018 at 5:35 AM Thomas Broyer <[email protected]> wrote: > Just tested my OpenID Connect Session Management implementation with > Safari 12.0.1 and it works like a charm. > > On Thu, Nov 22, 2018 at 8:09 PM George Fletcher <gffletch= > [email protected]> wrote: > >> My understanding is that cookies are not blocked on redirects >> (IPT2/Safari) but I haven't done extensive testing. So from a full-page >> redirect perspective there should be no issues, from a hidden iframe I'm >> not sure... but I believe it will work. >> >> >> On 11/21/18 11:49 PM, Torsten Lodderstedt wrote: >> >> Hi George, >> >> >> Am 20.11.2018 um 22:15 schrieb George Fletcher <[email protected]> >> <[email protected]>: >> >> OIDC provides a "prompt=none" mechanism that allows the browser app to >> request a new token in a hidden iframe. OAuth2 doesn't describe this flow. >> Note that full authentications of users should NOT happen in iframes due to >> click-jacking attacks. >> >> >> Does this still work reliably given the limitations imposed by the browserâs >> 3rd party cookie policies? >> >> kind regards, >> Torsten. >> >> >> _______________________________________________ >> OAuth mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/oauth >> > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
