Comment by stavros
9 hours ago
Sorry, I'm confused. What are the hoops? Wouldn't this be solved by Persona just telling the IdP the URL of the site to auth to?
9 hours ago
Sorry, I'm confused. What are the hoops? Wouldn't this be solved by Persona just telling the IdP the URL of the site to auth to?
The biggest one I’ve come across is the ability to manage and revoke sessions from a centralized location. With BrowserID, you can’t just sign out of your IdP and expect all relying parties’ sessions to invalidate. Instead, BrowserID asserts that you controlled the email at a point in time, and then it’s up to the site to decide how to manage the session afterwards.
3rd party cookie blocking makes this worse, since it’s difficult to silently refresh your session by checking with the IdP behind the scenes. I believe Auth0 uses a hidden iframe for this, which uses 3rd party cookies and looks a lot like a tracking pixel. Without that refresh mechanism, though, relying parties are pushed to have longer lived sessions, which makes the lack of a global revocation worse.
Ah, yes, but that's a problem all IdPs have, no? You have to check in with the IdP every so often. I don't think this is insurmountable, Persona could have just added a mechanism to do that.