bc-pi
commented
1 year ago Delegated authorization (i.e. OAuth) is also a legit use of redirect bounces. From the browser perspective, it looks like the Federated Authentication so I don't think it needs any different/specific treatment. But might be worth mentioning explicitly as a supported use case not to break.
SAML is still widely in use. Particularly in "workforce to SaaS" type use cases where the so called IDP initiated flow is often used to SSO from a portal like page into various apps. From the browser perspective, this will look a lot like Redirect Bounce on an Outgoing Navigation. I don't think this needs any different/specific treatment either but thought it was worth mentioning.
These authn/authz protocols sometimes use an auto-submitting form post for cross-site navigation (OAuth 2.0 Form Post Response Mode and the SAML POST Binding being examples of such). I kinda assume that kind of thing is covered in this work as general top-level navigation. But, again, thought it was worth mentioning just in case.
Lastly, there are also non-standard authn/authz flows out there that are nonetheless legitimate. AFAIK though they mostly look the same at this level from the browser perspective so are probably okay.
If so, are there new signals that can be used to exclude these uses from impact?