gbv/login-server

How to deal with cross-site authentication

Closed this issue · 1 comments

Adding this issue because of gbv/bartoc.org#31.

I'm only now starting to get into this, but it seems like modern browsers should allow cross-site cookies when SameSite=None; Secure is set for cookies. So far, the former part is not set. In any case, we need a way for login-server to allow authentication for applications that are running on a different domain.

I believe going with this is the right way for now. All browsers allow these kinds of cookies by default. Only if the user explicitly disables all third-party cookies will it not work, and login-client will emit the respective error in that case. And all browsers make it clear that disabling all third-party cookies might break some websites.