You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The accounts_endpoint should only be used if there's a chance of success that the request would be meaningfully authenticated. If there are no SameSite=None cookies for the IdP origin, we should skip it just as we would if the Login-Status for the origin is 'logged-out'.
Pros
Reduces network traffic
Reduces the need to wait for other IdP responses in the multi-IdP case, even if the user agent is seeing one of the IdPs for the first time (login-status is unknown.)
Cons
Would prevent IdP implementations from leveraging identifying information that the user agent isn't aware of, such as identity claim headers added by an Identity Aware VPN such as Tailscale.
Edit: Removed that this would break using, eg, Pomerium or other identity-aware reverse proxies, since there would be cookies for the reverse proxy origin. D'oh.
The text was updated successfully, but these errors were encountered:
The
accounts_endpointshould only be used if there's a chance of success that the request would be meaningfully authenticated. If there are noSameSite=Nonecookies for the IdP origin, we should skip it just as we would if the Login-Status for the origin is 'logged-out'.Pros
Cons
Edit: Removed that this would break using, eg, Pomerium or other identity-aware reverse proxies, since there would be cookies for the reverse proxy origin. D'oh.
The text was updated successfully, but these errors were encountered: