Fixing 3rd party cookie issues by supporting LTI OIDC Login flow with LTI Client Side postMessages

[phaazebroek]

Thanks for you all your work with this library!!!

Recently browsers have become more strict with regard to 3rd party cookies, with consequences for LTI 1.3 tools within iframes not being loaded: https://www.unicon.net/insights/blogs/the-solution-for-third-party-cookies-in-lti-1.3-has-arrived

There is now an approach using postmassage that seems to be supported by D2L and blackboard:
https://www.imsglobal.org/spec/lti-cs-oidc/v0p1#problem-description-blocked-cookies-prevent-proper-oidc-flow

Would that be something you would consider implementing in this library?

Thanks!

[erikdonohoo]

We have had to address this as well. I am not a fan of IMS Globals solution for this. It was not very well thought out. To me, the answer is CHIPs or Partitioned Cookies. You can read more about that here.

https://developer.mozilla.org/en-US/docs/Web/Privacy/Partitioned_cookies

Firefox already partitions all cookies by default, and chrome is killing 3rd party cookies support slowly this year. Partitioned cookies allow the same behavior you have always expected. The one caveat to this is with Safari. But even safari has a solution.

We built our own Safari solution taking advantage of the hasStorageAccess and requestStorageAccess APIs. This allows you to ask for permission to store cookies still. We successfully use this ourselves for LTI 1.1 and LTI 1.3 and this solution should work going forward without any need to use IMS Globals hacky iframe communication.

[phaazebroek]

Dear @erikdonohoo , thanks a lot, that is very helpful!

[dbhynds]

@erikdonohoo did you need to do anything special with this library to get that solution working? I still need to read up on the links shared by @phaazebroek, but if there are improvements we can make to this library to help support / accommodate these changes, I'd be open to it.

[snake]

^^ I'll echo what Erik said. Nothing special is needed other than jumping through the hoops the various browsers put in place. Safari needing the most work.

In PHP-land (relevant to this library) the opt-in attribute needed for CHIPS support ('Partitioned') isn't supported by core PHP yet either: See php/php-src#12646

[Lyanthropos]

@erikdonohoo Do you have any pointers or examples to share on how you implemented to Safari API? First time I'm running into this issue and I'm a little lost. Managed the Samesite/Secure workaround but would much prefer to avoid the postMessage solution.

[battis]

For posterity, since I just had to work this out on my own…