> That is why I emphasized "significant".
Are they not significant?
I may not have read your blog post but i did read and quote the question I was answering to. While these may appear as insignificant reasons at first glance they are both blockers encountered at one point in time in my past experience.
> sameSite
Account Linking, Step-up, re-auth, site preferences, shopping carts are all scenarios where you want/need an existing session loaded (regardless whether it's preauth or not).
> FOUC
User agent that's processing a 30x response with a location header and a 200 that contains a JS self-submitting form is different when it comes to FOUC. Of course this problem is exaggerated on unstable or slow connections such as mobile.
- Filip That is why I emphasized "significant". UX - FOUC or briefly displayed submit page at the AS when it's sending responses
- The returning page with the autosubmitted form usually does not contain any explicit content. In fact, I'm not sure how it's different from any redirect URI page that might appear briefly, as you mentioned, when other response modes are in use sameSite - the client is required to use sameSite=none for the cookies they expect to load at the redirect_uri, that may include session related cookies for which sameSite=none is the exact opposite of what they should strive for.
- I agree with the first part of your statement, that's true. However, we should define what we mean by a "session" here and determine if it's a problem. Usually, this applies only to certain cookies that are used to maintain a "pre-auth session" and for such a case I'm not sure if it's a significant issue. I considered this nuance in the research i mentioned previously and explicitly stated that constraint. Could you share your example, If you have another case where we do need a cookie to be sent to the redirect URI endpoint? ---------------- Тема: [OAUTH-WG] Re: Question: Form Post Response Mode in OAuth/OIDC Security Best Practices; On the other hand, i cannot identify any significant drawbacks to using this response mode, aside from inconsistent support across implementations.
What about
- UX - FOUC or briefly displayed submit page at the AS when it's sending responses
- sameSite - the client is required to use sameSite=none for the cookies they expect to load at the redirect_uri, that may include session related cookies for which sameSite=none is the exact opposite of what they should strive for.
- Filip
25. 10. 2025 v 15:21, Andrey Kuznetsov <[email protected]>:
On the other hand, i cannot identify any significant drawbacks to using this response mode, aside from inconsistent support across implementations.
_______________________________________________
OAuth mailing list -- [email protected]
To unsubscribe send an email to [email protected]
-- Best regards, Andrey Kuznetsov Software Architect Identity & Access Management Yandex Cloud
|
