manifest relative URL issue

[dickhardt]

reading the manifest specifications more closely, the endpoints are all specified as relative URLs rather than full URLs (which is how the URLs are specified in the OIDC discovery docs)

This presumes the IdP discovery docs and the endpoints are on the same domain. They are not for Hellō -- https://issuer.hello.coop is the IdP iss identifier -- but the token endpoints are on a different host -- https://consent.hello.coop

[samuelgoto]

ah yeah, that seems like a bug ... off the top of my head, i don't think there would be any issue making these absolute urls (as long as they are under the same eTLD+1, I think that should be fine) as opposed to relative urls.

@cbiesinger @yi-gu any concerns?

If not, I can send a PR to fix the spec and kick off implementation bugs.

[cbiesinger]

They need to be same-origin right now. We could perhaps relax that check to eTLD+1 but that is a concept that the web rarely uses.

[cbiesinger]

(However absolute URLs do work if they are same-origin)

[dickhardt]

Why the requirement to be same-origin, or even eTLD+1? That requirement does not exist for the OIDC discovery document. Following security best practices, I have a separation of concerns -- metadata is on different host than the APIs. (they happen to be eTLD+1 == but that is not an OIDC requirement)

[dickhardt]

@cbiesinger -- we are referring to what the spec SHOULD be in this discussion, rather than the current implementation, correct?

[cbiesinger]

Indeed, we are. But this is the web platform and fedcm opens up cross-origin data transfer, so we need to be careful in how we approach this.

For a start, we would need to make sure to run CSP checks on each redirect. I am also not sure how to feel about the fact that each endpoint could be on a different domain; that seems worrisome.

[cbiesinger]

Sorry, I got mixed up in that comment with redirects vs cross-origin direct URLs. But the issues are similar.

[dickhardt]

From a security perspective, cookies etc. would still only be shared per the URLs. IE, if iss=https://issuer.example and id_token_endpoint=https://account.example/fed-cm/token => only cookies that would be sent to https://account.example/fedcm/token would be sent, not cookies for https://issuer.example

GIven the privacy focus of FedCM -- I agree we need to think through if cross domain support could be used/abused for cross site tracking.