Re: [blink-dev] RE: [EXTERNAL] Re: Native support of Windows SSO in Chrome

2022-10-28 Thread Matt Menke
Sasha Tokarev > *Cc:* Matt Menke ; blink-dev ; > Owen Min ; Greg Thompson ; Ryan > Sleevi ; Adam Langley > *Subject:* Re: [blink-dev] RE: [EXTERNAL] Re: Native support of Windows > SSO in Chrome > > > > You don't often get email from j...@chromium.org. Learn why this is

RE: [blink-dev] RE: [EXTERNAL] Re: Native support of Windows SSO in Chrome

2022-10-28 Thread 'Sasha Tokarev' via blink-dev
2:58 PM To: Sasha Tokarev Cc: Matt Menke ; blink-dev ; Owen Min ; Greg Thompson ; Ryan Sleevi ; Adam Langley Subject: Re: [blink-dev] RE: [EXTERNAL] Re: Native support of Windows SSO in Chrome You don't often get email from j...@chromium.org<mailto:j...@chromium.org>. Learn why th

Re: [blink-dev] RE: [EXTERNAL] Re: Native support of Windows SSO in Chrome

2022-10-18 Thread John Abd-El-Malek
Hi Sasha, I got looped in to a code review and I had a few questions: 1) Can we avoid modifying the Cookie header, and only modify "x-ms-" headers? 2) Can this be scoped to just frame requests, e.g. only for requests to fetch the html for main frames and subframes and not subresource requests like

[blink-dev] RE: [EXTERNAL] Re: Native support of Windows SSO in Chrome

2022-08-11 Thread 'Sasha Tokarev' via blink-dev
With respect to credential mode “omit” it is fine not send those headers, if the other mode will allow it. We use sandboxed iframes in out authentication libs, but we set “allow-same-origin” token to be able to use cookies. https://github.com/AzureAD/microsoft-authentication-library-for-js/blob

[blink-dev] Re: [EXTERNAL] Re: Native support of Windows SSO in Chrome

2022-08-11 Thread Matt Menke
On Thu, Aug 11, 2022 at 5:43 PM Sasha Tokarev wrote: > Hi Matt, > > > > I apologize for not being able to respond, I was on vacation, but now I’m > back. However, before the vacation, I had planned to ping this thread, as > we are getting more and more feedback that the extension model is not > w

[blink-dev] RE: [EXTERNAL] Re: Native support of Windows SSO in Chrome

2022-08-11 Thread 'Sasha Tokarev' via blink-dev
Hi Matt, I apologize for not being able to respond, I was on vacation, but now I’m back. However, before the vacation, I had planned to ping this thread, as we are getting more and more feedback that the extension model is not working for various reasons, and the users do not have sufficient he

[blink-dev] Re: [EXTERNAL] Re: Native support of Windows SSO in Chrome

2022-07-20 Thread Matt Menke
This task is being picked up again, but there are a lot of questions in terms of implementation: * Do we need to send Microsoft SSO credentials in Credentials Mode: Omit requests? * Do we need to bypass CORS for requests send to Microsoft's IDP? This is a bit related to the above question. * D

[blink-dev] RE: [EXTERNAL] Re: Native support of Windows SSO in Chrome

2021-11-02 Thread 'Sasha Tokarev' via blink-dev
Hi Ryan, Thank you for the chat. Couple notes from me: > If this is solely relegated to an Enterprise flag (and not even a user > preference), I certainly am far less worried. I think it will be very far from ideal, key part is that the user has joined his device and consented for SSO. They

[blink-dev] Re: [EXTERNAL] Re: Native support of Windows SSO in Chrome

2021-10-26 Thread Ryan Sleevi
On Tue, Oct 26, 2021 at 2:34 PM Sasha Tokarev wrote: > I think it is true for any authentication that part of Chrome, like > Digest, Client TLS, Windows Integrated (NTLMv2, Kerberos) etc. I think the > cookie cleanup will not prevent a web site that performs Windows Integrated > authentication to

[blink-dev] RE: [EXTERNAL] Re: Native support of Windows SSO in Chrome

2021-10-26 Thread 'Sasha Tokarev' via blink-dev
Hy Ryan, Sorry for the delay and thank you for open discussion. I would like to start from the simple point: > it means clearing cookies in Chrome may no longer clear cookies, because > these IDP APIs may hold on to them. I think it is true for any authentication that part of Chrome, like Diges

[blink-dev] Re: [EXTERNAL] Re: Native support of Windows SSO in Chrome

2021-10-21 Thread Ryan Sleevi
Thanks Sasha! TL;DR: I think we've got enough information here to make a decision. You've been *incredibly* *helpful* for that. What follows is my personal views, not a decision, and I share them not to shut down the conversation, but instead, to keep the conversation going and to continue to move

[blink-dev] RE: [EXTERNAL] Re: Native support of Windows SSO in Chrome

2021-10-20 Thread 'Sasha Tokarev' via blink-dev
Hi all, You are correct with respect to cookie size limit. Because there is a 4k limit for all cookies, when we introduced multiple accounts, we hit this limit and some proxies started to block our requests. That why we changed our cookies to headers. Right now, IProofOfPossessionCookieInfoMan

[blink-dev] Re: [EXTERNAL] Re: Native support of Windows SSO in Chrome

2021-10-19 Thread Ryan Sleevi
On Tue, Oct 19, 2021 at 9:41 PM Sasha Tokarev wrote: > *> All of this relates to the questions I was previously asking, because > at least if my understanding is correct, this basically means that as > currently designed, it's not possible to really describe a "standard" flow > or specification.

[blink-dev] Re: [EXTERNAL] Re: Native support of Windows SSO in Chrome

2021-09-28 Thread Owen Min
+Yulian Pastarmov On Sun, Sep 26, 2021 at 11:34 AM Ryan Sleevi wrote: > Thanks for the super-detailed response Aleksander! To reflect what Matt > said, don't feel the need to respond on vacation :) > > Regarding the forks: I suspect this might be how GMail vs Outlook differ > in managing thread

[blink-dev] Re: [EXTERNAL] Re: Native support of Windows SSO in Chrome

2021-09-26 Thread Ryan Sleevi
Thanks for the super-detailed response Aleksander! To reflect what Matt said, don't feel the need to respond on vacation :) Regarding the forks: I suspect this might be how GMail vs Outlook differ in managing threads, since in Google Groups and GMails, it appears as all one conversation

[blink-dev] RE: [EXTERNAL] Re: Native support of Windows SSO in Chrome

2021-09-26 Thread 'Sasha Tokarev' via blink-dev
Hi Ryan, Thank you for your email. One logistics aspect: I don’t know the culture in this DL is it ok to merge 2 different forks in one or keep forks independent. I decided to keep fork independent as they were not created by me, but expect @Owen or somebody help me w

[blink-dev] Re: [EXTERNAL] Re: Native support of Windows SSO in Chrome

2021-09-25 Thread Matt Menke
Thanks for the details, Sasha! Please don't feel like you need to answer my questions while on vacation - there's no rush here. Enjoy your vacation! On Sat, Sep 25, 2021 at 9:22 PM Sasha Tokarev wrote: > Hi Matt, > > > > Disclaimer: I’m at vacation my responses may delay. > > > > *> What's the

[blink-dev] RE: [EXTERNAL] Re: Native support of Windows SSO in Chrome

2021-09-25 Thread 'Sasha Tokarev' via blink-dev
Hi Matt, Disclaimer: I'm at vacation my responses may delay. > What's the flow to join a cloud identity here? What are the permission > prompts like? I assume that home users who use generic home user Microsoft > accounts (as I believe encouraged during Windows install/configuration) > aren'