stefandesu
commented
2 years ago It seems like Google's login also works only if third-party cookies are enabled: https://help.joinhoney.com/article/290-what-if-i-want-to-log-into-honey-with-google-but-have-3rd-party-cookies-disabled
The solution involved using a server-side OAuth flow: https://stackoverflow.com/questions/62504932/allow-users-to-logon-to-my-site-with-google-account-without-3d-party-cookies
So as far as I can see, we need a server-side component running on the same domain to do this safely. There's also the possibility to add a long-lasting token to the return URL that the client-side application needs to save in local storage, but this might compromise security, I believe.
Browser vendors are starting to push the removal of third-party (i.e. cross-origin) cookies. Unfortunately, this is currently the only way to integrate Login Server if the application is running on a different domain. This is the reason why the login in BARTOC does not work in Safari (https://github.com/gbv/bartoc.org/issues/73), and it also won't work if you set Firefox's security settings to Strict. In the long-term, it will probably become the default for all browsers and thus break the login flow for applications on different domains.
I have tried to do some research regarding this, but so far I haven't found the solution, unfortunately. There might be a solution that uses iFrames, but as far as I can see, cookies are currently not shared to the iFrame, so it won't work. There's also the option of using a proxy that runs on the same domain as the application (as suggested in https://github.com/gbv/bartoc.org/issues/31), but this might be impractical for certain applications, especially if they are running client-side only. There are certainly other ways to solve this, but I'm sure that there's the one solution we're looking for, but haven't found yet. How are other major sites are doing this?