rosarp-gobazzinga
commented
8 months ago There are some changes in above flow. Depicting that further.
---
title: Anonymous session to user identification action flow
---
sequenceDiagram
actor client as Client Device
participant ssr as SSR Backend
participant iframe as iFrame
client->>ssr: Visits first time
ssr->>client: Returns page with iFrame
iframe->>iframe: Loads anonymous_identity<br/>from auth
create participant auth as Auth Service
iframe->>auth: Calls generate_session
auth-->>iframe: stores session in cookie
client->>iframe: Client clicks login<br/>Sends postMessage
iframe->>auth: Calls get_redirect_url
Note over auth: Since cookie contains expiration<br/>which varies, contents will<br/>change for every request
auth->>iframe: After cookie validation returns<br/>encrypted cookie contents<br/>base64 encoded in redirect_url
create participant window as Window
iframe->>window: Opens window with redirect_url
window--)auth: redirect_url reads encrypted param<br/>sets cookie and redirects to login
The following is a proposal for a new model which does not rely on 3rd party cookies as they will be removed Note that the trade off with this approach is that we loose sharing anonymous identities across websites Anonymous identities do not require any changes with this model, other than setting the partitioned cookie header. the following diagram showcases the model for google login
Note that the roundabout communication between Auth Iframe and Auth server is required else the refresh token won't be updated (its http only) There's a minor security escape hatch as refresh token is temporarily available in the Auth Iframe & Auth Window, but both of them will be very minimal, so XSS should be extremely unlikely and thus a worthy trade off.