How to deal with cross-site authentication
Closed this issue · 1 comments
stefandesu commented
Adding this issue because of gbv/bartoc.org#31.
I'm only now starting to get into this, but it seems like modern browsers should allow cross-site cookies when SameSite=None; Secure
is set for cookies. So far, the former part is not set. In any case, we need a way for login-server to allow authentication for applications that are running on a different domain.
stefandesu commented
I believe going with this is the right way for now. All browsers allow these kinds of cookies by default. Only if the user explicitly disables all third-party cookies will it not work, and login-client
will emit the respective error in that case. And all browsers make it clear that disabling all third-party cookies might break some websites.