[Webkit-unassigned] [Bug 185372] New: Intelligent Tracking Prevention blocking Norwegian BankID authentication service

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon May 7 01:14:28 PDT 2018 

https://bugs.webkit.org/show_bug.cgi?id=185372

            Bug ID: 185372
           Summary: Intelligent Tracking Prevention blocking Norwegian
                    BankID authentication service
           Product: WebKit
           Version: Safari 11
          Hardware: All
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: kristoffer.skaret at kantega.no

BankID is an identity provider with 3.7 million users (90 % of the adult population in Norway). BankID is used by all the country’s banks and public digital services and an increasing number of enterprises in a range of different sectors.

Our latest addition to the product portfolio is an authentication service based on the OpenID Connect protocol. The service is public and centralized, and needs to be accessed from a large number of different domains. More information: https://confluence.bankidnorge.no/confluence/pdoidcl/introduction

The new service is highly dependent upon cookies via different components. One of these is Keycloak, one of the leading certified OpenID Connect implementations. This means other parties may also be affected by the problem.

Our challenge is that ITP occasionally seems to classify the service as a tracker and causes Safari to handle the cookies as third party ones. That makes the service unusable in those cases.

We have found this issue where a similar problem is reported: https://bugs.webkit.org/show_bug.cgi?id=178762
In the response, John Wilander states that «a couple of features are under consideration» to help sort this out.

1.      Could you provide more information about the possible features?
2.      If a solution is already on the way, when could we expect it to be ready?
3.      If necessary, we are interested in discussing different alternatives to the ensure the functioning of the new BankID services for Safari users.


Regards, Kristoffer Skaret

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180507/0784abca/attachment.html>

More information about the webkit-unassigned mailing list