1

Recent specifications such as LTI 1.3 use (IdP-initiated) OpenID Connect to authenticate tools. In LTI, these tools typically run in an iframe on a different domain. The theory is that the entire authentication flow is 'just' a 3-step back-and-forth of browser redirects.

To avoid CSRF, it is recommended to track a state parameter in a session with OpenID connect. However, Safari has different hoops that need to be jumped through before any storage is available in an iframe: Storage may need to be requested (after user interaction), a cookie needs to have been previously set in top-level context, ...

All solutions I can think of to initiate an OpenID connect from within an IFrame (with CSRF protection) requires lots of code and checks, including several back-and-forths between backend (to set http-only session) and frontend (to check and request cookie storage). I can't imagine that a standard as recent as LTI 1.3 would require so much complexity just to get it working, so I was wondering if there were 'recommended' approaches to doing OpenID connect from within an iframe with a state parameter.

Remko
  • 823
  • 6
  • 16
  • 2
    It might be worth mentioning that Canvas' current solution to this problem sounds a lot like the complicated ones you were able to come up with, except that it also uses an (I think) undocumented and nonstadard postMessage api. Here's the link: https://community.canvaslms.com/t5/Developers-Group/Safari-13-1-and-LTI-Integration/ba-p/273051 – Graham Leach-Krouse Sep 24 '20 at 16:01
  • @GrahamLeach-Krouse Thanks, that's an interesting link. Another solution I came up with (but haven't tested yet) is to detect when running in an iframe, and in that case show a button to open a top-level popup that does the auth flow, and postMessage back when finished. The advantage is that this simplifies the code and flow, and works around other issues such as webkit not working without ever having a first party cookie. The disadvantage is that this now requires a button on every browser when running in an iframe, instead of just on ITP browsers (only Safari for now?) – Remko Sep 28 '20 at 07:56

0 Answers0