Difficulties with OpenID Connect in iframes
Difficulties with OpenID Connect in iframes
LTI1.3 now depends on OpenID Connect to do authentication. To do OpenID securely, you have to protect against CSRF, which in a browser relies on cookie storage (or at the least some sort of storage).
Having access to storage in an iframe (a common environment for LTI tools) is becoming increasingly difficult. While Google Chrome for now only puts some extra constraints on the cookies set in an iframe (cfr. SameSite), modern Safari version requires different user interactions before you are guaranteed to have access to storage (e.g. Storage Access API requests per ITP, open a toplevel window to set cookies at least once for the domain, ...). This makes the entire IdP-initiated OpenID connect flow very awkward, both for implementer (that needs to write complex server/client back & forth code to make sure to storage access before redirecting back to the platform) and for the user (who will need to do a user interaction with the iframe before the OpenID connect flow can even start).
Have the problems with OpenID Connect in iframes been considered while creating the LTI 1.3 spec? Are there recommendations / best practices on handling this on browsers such as Safari?
thanks,
Remko